Skip to content

Commit 082b4c3

Browse files
author
Alvaro Muñoz
committed
Add poisonable step for pip install .
1 parent afb7967 commit 082b4c3

File tree

6 files changed

+83
-5
lines changed

6 files changed

+83
-5
lines changed

ql/lib/ext/config/poisonable_steps.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,9 +41,9 @@ extensions:
4141
- ["pre-commit"]
4242
- ["prettier"]
4343
- ["phpstan"]
44-
- ["pip\\s+install\\s+-r"]
45-
- ["pip\\s+install\\s+--requirement"]
46-
- ["pipx\\s+install\\s+\\."]
44+
- ["pip\\s+install(.*)\\s+-r"]
45+
- ["pip\\s+install(.*)\\s+--requirement"]
46+
- ["pip(x)?\\s+install(.*)\\s+\\."]
4747
- ["poetry"]
4848
- ["pylint"]
4949
- ["pytest"]

ql/test/query-tests/Security/CWE-094/.github/workflows/test27.yml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
name: Test WR
2+
3+
on:
4+
workflow_run:
5+
workflows:
6+
- Test
7+
types:
8+
- completed
9+
10+
permissions:
11+
contents: write
12+
pull-requests: write
13+
14+
jobs:
15+
setup:
16+
name: Setup
17+
runs-on: ubuntu-24.04
18+
outputs:
19+
github-sha: ${{ steps.get-sha.outputs.sha }}
20+
chart-version: ${{ steps.get-version.outputs.chart_version }}
21+
steps:
22+
- name: Get triggering event SHA
23+
id: get-sha
24+
run: |
25+
if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
26+
echo sha="${{ inputs.checkout_ref }}" >> $GITHUB_OUTPUT
27+
elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
28+
echo sha="${{ github.event.workflow_run.head_sha }}" >> $GITHUB_OUTPUT
29+
elif [[ "${{ github.event_name }}" == "push" ]]; then
30+
echo sha="${{ github.sha }}" >> $GITHUB_OUTPUT
31+
else
32+
echo "Invalid event type"
33+
exit 1
34+
fi
35+
- name: Checkout Source Code
36+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
37+
with:
38+
persist-credentials: false
39+
ref: ${{ steps.get-sha.outputs.sha }}
40+
fetch-depth: 0
41+
- name: Get version
42+
id: get-version
43+
run: |
44+
echo "chart_version=$(<ERSION)" | tee -a $GITHUB_OUTPUT
45+
46+
push:
47+
name: Push
48+
runs-on: ubuntu-24.04
49+
needs: setup
50+
steps:
51+
- run: |
52+
echo ${{ needs.setup.outputs.chart-version }}

ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,11 @@ edges
206206
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | |
207207
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | |
208208
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | |
209+
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | |
210+
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | |
211+
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
212+
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance | |
213+
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance | |
209214
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | |
210215
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | |
211216
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | |
@@ -602,6 +607,12 @@ nodes
602607
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
603608
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
604609
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
610+
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] |
611+
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version |
612+
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step |
613+
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
614+
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
615+
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
605616
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
606617
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
607618
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -784,6 +795,7 @@ subpaths
784795
| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
785796
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
786797
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
798+
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | ${{ needs.setup.outputs.chart-version }} | .github/workflows/test27.yml:4:3:4:14 | workflow_run | workflow_run |
787799
| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target |
788800
| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target |
789801
| .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,11 @@ edges
206206
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance | |
207207
| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance | |
208208
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance | |
209+
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | provenance | |
210+
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | provenance | |
211+
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | provenance | Config |
212+
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | provenance | |
213+
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | provenance | |
209214
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | |
210215
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | |
211216
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance | |
@@ -602,6 +607,12 @@ nodes
602607
| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
603608
| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
604609
| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
610+
| .github/workflows/test27.yml:19:7:21:4 | Job outputs node [chart-version] | semmle.label | Job outputs node [chart-version] |
611+
| .github/workflows/test27.yml:20:23:20:68 | steps.get-version.outputs.chart_version | semmle.label | steps.get-version.outputs.chart_version |
612+
| .github/workflows/test27.yml:35:9:41:6 | Uses Step | semmle.label | Uses Step |
613+
| .github/workflows/test27.yml:41:9:46:2 | Run Step: get-version [chart_version] | semmle.label | Run Step: get-version [chart_version] |
614+
| .github/workflows/test27.yml:43:14:44:66 | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n | semmle.label | echo "chart_version=$(<ERSION)" \| tee -a $GITHUB_OUTPUT\n |
615+
| .github/workflows/test27.yml:52:17:52:56 | needs.setup.outputs.chart-version | semmle.label | needs.setup.outputs.chart-version |
605616
| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
606617
| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
607618
| .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,3 +57,4 @@ jobs:
5757
echo "BENCHEOF" >> $GITHUB_OUTPUT
5858
shell: bash
5959
- run: python2.7 foo.py
60+
- run: pip install --no-deps .

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,8 @@ edges
210210
| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step |
211211
| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command |
212212
| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr |
213-
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step |
213+
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:60:6 | Run Step |
214+
| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:60:9:60:37 | Run Step |
214215
| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step |
215216
| .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step |
216217
| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step |
@@ -351,7 +352,8 @@ edges
351352
| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
352353
| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
353354
| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
354-
| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
355+
| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
356+
| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
355357
| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
356358
| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
357359
| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |

0 commit comments

Comments
 (0)