Support bash heredoc

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -46,18 +46,39 @@ module Utils {
 
   bindingset[var]
   private string multilineAssignmentRegex(string var) {
+    // eg:
+    // echo "PR_TITLE<<EOF" >> $GITHUB_ENV
+    // echo "$TITLE" >> $GITHUB_ENV
+    // echo "EOF" >> $GITHUB_ENV
     result =
-      ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
+      ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
         + var.toUpperCase() + "(\\})?(\"|')?.*"
   }
 
   bindingset[var]
   private string multilineBlockAssignmentRegex(string var) {
+    // eg:
+    // {
+    //   echo 'JSON_RESPONSE<<EOF'
+    //   echo "$TITLE" >> "$GITHUB_ENV"
+    //   echo EOF
+    // } >> "$GITHUB_ENV"
     result =
-      ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
+      ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
         + var.toUpperCase() + "(\\})?(\"|')?.*"
   }
 
+  bindingset[var]
+  private string multilineHereDocAssignmentRegex(string var) {
+    // eg:
+    // cat <<-EOF >> "$GITHUB_ENV"
+    //   echo "FOO=$TITLE"
+    // EOF
+    result =
+      ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() +
+        "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*"
+  }
+
   bindingset[script, var]
   predicate extractMultilineAssignment(string script, string var, string key, string value) {
     // multiline assignment
@@ -87,6 +108,19 @@ module Utils {
               .splitAt("\n") + ")" and
       key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3))
     )
+    or
+    // multiline heredoc assignment
+    exists(string flattenedScript |
+      flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and
+      value =
+        trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3))
+            .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() +
+                "(\\})?(\"|')?", "")
+            .replaceAll("::NEW_LINE::", "\n")
+            .trim()
+            .splitAt("\n") and
+      key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2))
+    )
   }
 
   bindingset[line]

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -39,7 +39,10 @@ class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
  * that is used to construct and evaluate an environment variable.
  */
 private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    not source.(RemoteFlowSource).getSourceType() = "branch"
+  }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink }
 }

ql/src/Security/CWE-077/EnvPathInjection.ql

@@ -20,8 +20,10 @@ from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink
 where
   EnvPathInjectionFlow::flowPath(source, sink) and
   (
+    // sink belongs to a composite action
     exists(sink.getNode().asExpr().getEnclosingCompositeAction())
     or
+    // sink belongs to a non-privileged job
     exists(Job j |
       j = sink.getNode().asExpr().getEnclosingJob() and
       not j.isPrivileged()

ql/src/Security/CWE-077/EnvVarInjection.ql

@@ -16,23 +16,29 @@ import actions
 import codeql.actions.security.EnvVarInjectionQuery
 import EnvVarInjectionFlow::PathGraph
 
+predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) {
+  (
+    not source.(RemoteFlowSource).getSourceType() = "artifact"
+    or
+    source.(RemoteFlowSource).getSourceType() = "artifact" and
+    sink instanceof EnvVarInjectionFromFileReadSink
+  )
+}
+
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
 where
   EnvVarInjectionFlow::flowPath(source, sink) and
   (
+    // sink belongs to a composite action
     exists(sink.getNode().asExpr().getEnclosingCompositeAction())
     or
+    // sink belongs to a non-privileged job
     exists(Job j |
       j = sink.getNode().asExpr().getEnclosingJob() and
       not j.isPrivileged()
     ) and
-    (
-      not source.getNode().(RemoteFlowSource).getSourceType() = "artifact"
-      or
-      source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-      sink.getNode() instanceof EnvVarInjectionFromFileReadSink
-    ) and
-    not source.getNode().(RemoteFlowSource).getSourceType() = "branch"
+    // exclude paths to file read sinks from non-artifact sources
+    artifactToFileRead(source.getNode(), sink.getNode())
   )
 select sink.getNode(), source, sink,
   "Potential environment variable injection in $@, which may be controlled by an external user.",

ql/src/Security/CWE-077/PrivilegedEnvPathInjection.ql

@@ -19,10 +19,8 @@ import EnvPathInjectionFlow::PathGraph
 from EnvPathInjectionFlow::PathNode source, EnvPathInjectionFlow::PathNode sink
 where
   EnvPathInjectionFlow::flowPath(source, sink) and
-  exists(Job j |
-    j = sink.getNode().asExpr().getEnclosingJob() and
-    j.isPrivileged()
-  ) and
+  // sink belongs to a privileged job
+  sink.getNode().asExpr().getEnclosingJob().isPrivileged() and
   (
     not source.getNode().(RemoteFlowSource).getSourceType() = "artifact"
     or

ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql

@@ -16,20 +16,22 @@ import actions
 import codeql.actions.security.EnvVarInjectionQuery
 import EnvVarInjectionFlow::PathGraph
 
+predicate artifactToFileRead(DataFlow::Node source, DataFlow::Node sink) {
+  (
+    not source.(RemoteFlowSource).getSourceType() = "artifact"
+    or
+    source.(RemoteFlowSource).getSourceType() = "artifact" and
+    sink instanceof EnvVarInjectionFromFileReadSink
+  )
+}
+
 from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
 where
   EnvVarInjectionFlow::flowPath(source, sink) and
-  exists(Job j |
-    j = sink.getNode().asExpr().getEnclosingJob() and
-    j.isPrivileged()
-  ) and
-  (
-    not source.getNode().(RemoteFlowSource).getSourceType() = "artifact"
-    or
-    source.getNode().(RemoteFlowSource).getSourceType() = "artifact" and
-    sink.getNode() instanceof EnvVarInjectionFromFileReadSink
-  ) and
-  not source.getNode().(RemoteFlowSource).getSourceType() = "branch"
+  // sink belongs to a privileged job
+  sink.getNode().asExpr().getEnclosingJob().isPrivileged() and
+  // exclude paths to file read sinks from non-artifact sources
+  artifactToFileRead(source.getNode(), sink.getNode())
 select sink.getNode(), source, sink,
   "Potential privileged environment variable injection in $@, which may be controlled by an external user.",
   sink, sink.getNode().toString()

ql/test/query-tests/Security/CWE-077/.github/workflows/test4.yml

@@ -42,12 +42,19 @@ jobs:
       - env:
           TITLE: ${{ github.event.pull_request.title }}
         run: |
-          cat <<-"EOF" >> "$GITHUB_ENV"
+          cat <<-EOF >> "$GITHUB_ENV"
             echo "FOO=$TITLE"
           EOF
       - env:
           TITLE: ${{ github.event.pull_request.head.ref }}
         run: |
           echo "PR_TITLE=$TITLE" >> $GITHUB_ENV
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
+        env:
+          TARGET_BRANCH: ${{ github.head_ref }}
+      - run: echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV
+        env:
+          TARGET_BRANCH: ${{ github.event.pull_request.title }}
+
 
 

ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected

@@ -7,7 +7,8 @@ edges
 | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
 | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
 | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
 nodes
 | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
@@ -26,8 +27,10 @@ nodes
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
-| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n |
+| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
 subpaths

ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected

@@ -7,7 +7,8 @@ edges
 | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
 | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
 | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
 nodes
 | .github/workflows/test2.yml:12:9:41:6 | Uses Step | semmle.label | Uses Step |
@@ -26,8 +27,10 @@ nodes
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | semmle.label | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n | semmle.label | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
-| .github/workflows/test4.yml:49:19:49:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
-| .github/workflows/test4.yml:50:14:51:48 | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n | semmle.label | echo "PR_TITLE=$TITLE" >> $GITHUB_ENV\n |
+| .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n | semmle.label | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n |
+| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | semmle.label | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
+| .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/test5.yml:10:9:30:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | semmle.label | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |
 subpaths
@@ -40,4 +43,6 @@ subpaths
 | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | .github/workflows/test4.yml:23:19:23:56 | github.event.pull_request.title | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:24:14:27:36 | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n | echo "PR_TITLE<<EOF" >> $GITHUB_ENV\necho "$TITLE" >> $GITHUB_ENV\necho "EOF" >> $GITHUB_ENV\n |
 | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | .github/workflows/test4.yml:29:19:29:56 | github.event.pull_request.title | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:30:14:33:40 | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n | echo "PACKAGES_FILE_LIST<<EOF" >> "${GITHUB_ENV}"\necho "$TITLE" >> "${GITHUB_ENV}"\necho "EOF" >> "${GITHUB_ENV}"\n |
 | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/test4.yml:35:19:35:56 | github.event.pull_request.title | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:36:14:41:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  echo "$TITLE" >> "$GITHUB_ENV"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
+| .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n | .github/workflows/test4.yml:43:19:43:56 | github.event.pull_request.title | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:44:14:47:14 | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n | cat <<-EOF >> "$GITHUB_ENV"\n  echo "FOO=$TITLE"\nEOF\n |
+| .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | .github/workflows/test4.yml:57:27:57:64 | github.event.pull_request.title | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:55:14:55:70 | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV | echo "BRANCH=$(echo ${TARGET_BRANCH##*/})" >> $GITHUB_ENV |
 | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | .github/workflows/test5.yml:10:9:30:6 | Uses Step | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:33:14:36:62 | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n | echo "PR_NUM=$(cat coverage/pr_num.txt)" >> $GITHUB_ENV\necho "BASE=$(cat coverage/base.txt)" >> $GITHUB_ENV\necho "HEAD=$(cat coverage/head.txt)" >> $GITHUB_ENV\n |