feat: Add sanitizers for bash test commands

Author: Alvaro Muñoz

ql/lib/codeql/actions/Bash.qll

@@ -691,11 +691,32 @@ module Bash {
       // echo "FIELD=${VAR2:-default}" >> $GITHUB_ENV (field, file_write_value)
       script.getAnAssignment(var2, value2) and
       containsCmdSubstitution(value2, cmd) and
-      containsParameterExpansion(expr, var2, _, _)
+      containsParameterExpansion(expr, var2, _, _) and
+      not varMatchesRegexTest(script, var2, alphaNumericRegex())
     )
     or
     // var reaches the file write directly
     // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value)
     containsCmdSubstitution(expr, cmd)
   }
+
+  /**
+   * Holds if there test command that checks a variable against a regex
+   * eg: `[[ $VAR =~ ^[a-zA-Z0-9_]+$ ]]`
+   */
+  bindingset[var, regex]
+  predicate varMatchesRegexTest(BashShellScript script, string var, string regex) {
+    exists(string lhs, string rhs |
+      lhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 1) and
+      containsParameterExpansion(lhs, var, _, _) and
+      rhs = script.getACommand().regexpCapture(".*\\[\\[\\s*(.*?)\\s*=~\\s*(.*?)\\s*\\]\\].*", 2) and
+      trimQuotes(rhs).regexpMatch(regex)
+    )
+  }
+
+  /**
+   * Holds if the given regex is used to match an alphanumeric string
+   * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
+   */
+  string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" }
 }

ql/test/query-tests/Security/CWE-094/.github/workflows/test23.yml

@@ -0,0 +1,64 @@
+on:
+  workflow_run:
+
+jobs:
+  test:
+    runs-on: ubuntu-22.04
+    if: >
+      (github.event.workflow_run.event == 'pull_request' ||
+      github.event.workflow_run.event == 'pull_request_target') &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: 'Download artifact'
+        uses: actions/github-script@v3.1.0
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "doc-build-artifact"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              artifact_id: matchArtifact.id,
+              archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{steps.setup-env.outputs.current_work_dir}}/doc-build-artifact.zip', Buffer.from(download.data));
+
+      - run: |
+          mkdir build_dir
+          unzip doc-build-artifact.zip -d build_dir
+
+      - name: Get commit_sha & pr_number
+        id: github-context
+        run: |
+          content_commit_sha=$(cat ./build_dir/commit_sha)
+          if [[ $content_commit_sha =~ ^[0-9a-zA-Z]{40}$ ]]; then
+            echo "commit_sha=$content_commit_sha" >> $GITHUB_OUTPUT
+            rm -rf ./build_dir/commit_sha
+          else
+            echo "Encountered an invalid commit_sha"
+            exit 1
+          fi
+
+          content_pr_number=$(cat ./build_dir/pr_number)
+          if [[ $content_pr_number =~ ^[0-9]+$ ]]; then
+            echo "pr_number=$content_pr_number" >> $GITHUB_OUTPUT
+            rm -rf ./build_dir/pr_number
+          else
+            echo "Encountered an invalid pr_number"
+            exit 1
+          fi
+
+      - run: |
+          echo "hub_docs_url=pr_${{ steps.github-context.outputs.pr_number }}" >> $GITHUB_OUTPUT
+
+      - run: |
+          cd build_dir
+          doc-builder push --commit_msg "Updated with commit ${{ steps.github-context.outputs.commit_sha }}