JS: Add sources from actions/core

asgerf · asgerf · commit 08785a4063f2 · 2023-05-01T11:42:17.000+02:00
diff --git a/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll b/javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll
@@ -33,6 +33,9 @@ private API::Node taintSource() {
   result = commitObj().getMember("message")
   or
   result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"])
+  or
+  result =
+    API::moduleImport("@actions/core").getMember(["getInput", "getMultilineInput"]).getReturn()
 }
 
 private class GitHubActionsSource extends RemoteFlowSource {
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected
@@ -16,6 +16,13 @@ nodes
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
@@ -195,6 +202,11 @@ edges
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |
@@ -311,6 +323,8 @@ edges
 | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value |
 | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | This code execution depends on a $@. | actions.js:5:10:5:50 | github. ... message | user-provided value |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | This code execution depends on a $@. | actions.js:6:10:6:33 | core.ge ... mbers') | user-provided value |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') | actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | This code execution depends on a $@. | actions.js:7:10:7:42 | core.ge ... mbers') | user-provided value |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value |
diff --git a/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected b/javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected
@@ -16,6 +16,13 @@ nodes
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
@@ -199,6 +206,11 @@ edges
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,9 @@ private API::Node taintSource() {`
`33`	`33`	`result = commitObj().getMember("message")`
`34`	`34`	`or`
`35`	`35`	`result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"])`
	`36`	`+ or`
	`37`	`+ result =`
	`38`	`+ API::moduleImport("@actions/core").getMember(["getInput", "getMultilineInput"]).getReturn()`
`36`	`39`	`}`
`37`	`40`
`38`	`41`	`private class GitHubActionsSource extends RemoteFlowSource {`