Update tests

Author: Alvaro Muñoz

ql/test/library-tests/test.expected

@@ -21,8 +21,6 @@ query predicate extJobs(ExternalJob s) { any() }
 
 query predicate steps(Step s) { any() }
 
-query predicate runSteps(Run run, string body) { run.getScript() = body }
-
 query predicate runExprs(Run s, Expression e) { e = s.getAnScriptExpr() }
 
 query predicate uses(Uses s) { any() }
@@ -59,8 +57,6 @@ query predicate summaries(
   actionsSummaryModel(action, version, input, output, kind, provenance)
 }
 
-query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() }
-
 query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression }
 
 query string testNormalizeExpr(string s) {
@@ -86,57 +82,6 @@ query predicate writeToGitHubEnv1(string content) {
   )
 }
 
-query predicate writeToGitHubEnv(string key, string value, string content) {
-  exists(string t |
-    t =
-      [
-        // block
-        "{\n  echo 'VAR0<<EOF'\n  echo \"$TITLE\"\n  echo EOF\n} >> \"$GITHUB_ENV\"\n",
-        "{\necho 'VAR1<<EOF'\necho \"$TITLE\"\necho EOF\n} >> \"$GITHUB_ENV\"",
-        "{\necho 'VAR2<<EOF'\necho '$ISSUE'\necho 'EOF'\n} >> \"$GITHUB_ENV\"",
-        "FOO\n{\n  echo 'VAR22<<EOF'\n  ls | grep -E \"*.(tar.gz|zip)$\"\n  echo EOF\n  } >> \"$GITHUB_ENV\"\nBAR",
-        // multiline
-        "FOO\necho \"VAR3<<EOF\" >> $GITHUB_ENV\necho \"$TITLE\" >> $GITHUB_ENV\necho \"EOF\" >> $GITHUB_ENV\nBAR",
-        "echo \"PACKAGES_FILE_LIST<<EOF\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(tar.gz|zip)$\" >> \"${GITHUB_ENV}\"\nls | grep -E \"*.(txt|md)$\" >> \"${GITHUB_ENV}\"\necho \"EOF\" >> \"${GITHUB_ENV}\"",
-        // heredoc 1
-        "cat >> $GITHUB_ENV << EOL\nVAR4=${ISSUE_BODY1}\nEOL",
-        "cat > $GITHUB_ENV << EOL\nVAR5<<DELIM\nHello\nWorld\nDELIM\nEOL",
-        // heredoc 2
-        "cat << EOL >> $GITHUB_ENV\nVAR6=${ISSUE_BODY3}\nEOL\n",
-        "cat <<EOF |  sed 's/l/e/g' > $GITHUB_ENV\nVAR7<<DELIM\nHello\nWorld\nDELIM\nEOF\n",
-        "\ncat <<-EOF >> \"$GITHUB_ENV\"\nVAR8=$(echo \"FOO\")\nVAR9<<DELIM\nHello\nWorld\nDELIM\nEOF",
-        // single line
-        "\necho \"::set-env name=VAR10::$(<pr-id1.txt)\"",
-        "echo '::set-env name=VAR11::$(<pr-id2.txt)'", "echo ::set-env name=VAR12::$(<pr-id3.txt)",
-        "echo \"VAR13=$(<test-results1/sha-number)\" >> $GITHUB_ENV",
-        "echo 'VAR14=$(<test-results2/sha-number)' >> $GITHUB_ENV",
-        "echo VAR15=$(<test-results3/sha-number) >> $GITHUB_ENV",
-        "echo VAR16=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') >> $GITHUB_ENV",
-      ] and
-    Bash::extractFileWrite(t, "GITHUB_ENV", content) and
-    Bash::extractVariableAndValue(content, key, value)
-  )
-}
-
-query predicate writeToGitHubOutput(string key, string value, string content) {
-  exists(string t |
-    t =
-      [
-        "echo \"::set-output name=VAR1::$(<pr-id1.txt)\"",
-        "echo '::set-output name=VAR2::$(<pr-id2.txt)'",
-        "echo ::set-output name=VAR3::$(<pr-id3.txt)",
-        "echo \"VAR4=$(<test-results1/sha-number)\" >> $GITHUB_OUTPUT",
-        "echo 'VAR5=$(<test-results2/sha-number)' >> $GITHUB_OUTPUT",
-        "echo VAR6=$(<test-results3/sha-number) >> $GITHUB_OUTPUT",
-        "echo VAR7=$(<test-results4/sha-number) >> \"$GITHUB_OUTPUT\"",
-        "echo VAR8=$(<test-results5/sha-number) >> ${GITHUB_OUTPUT}",
-        "echo VAR9=$(<test-results6/sha-number) >> \"${GITHUB_OUTPUT}\"",
-      ] and
-    Bash::extractFileWrite(t, "GITHUB_OUTPUT", content) and
-    Bash::extractVariableAndValue(content, key, value)
-  )
-}
-
 query predicate isBashParameterExpansion(string parameter, string operator, string params) {
   exists(string test |
     test =

ql/test/library-tests/test.ql

@@ -0,0 +1,36 @@
+on:
+  workflow_call:
+    inputs:
+      comment:
+        type: string
+        required: true
+    outputs:
+      SHOULD_RUN:
+        value: ${{ jobs.resolve.outputs.SHOULD_RUN }}
+      GIT_REF:
+        value: ${{ jobs.resolve.outputs.GIT_REF }}
+jobs:
+  resolve:
+    runs-on: ubuntu-latest
+    outputs:
+      SHOULD_RUN: ${{ steps.resolve-step.outputs.SHOULD_RUN }}
+      GIT_REF: ${{ steps.resolve-step.outputs.GIT_REF }}
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - if: github.event_name == 'workflow_run'
+        uses: ./.github/actions/download-artifact
+      - id: resolve-step
+        env:
+          ALLOWED_COMMENT: ${{ inputs.comment }}
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            if [[ "$(head -n 1 /tmp/artifacts/metadata.txt)" == *"$ALLOWED_COMMENT"* ]]; then
+               echo SHOULD_RUN=true >> "$GITHUB_OUTPUT"
+            else
+               echo SHOULD_RUN=false >> "$GITHUB_OUTPUT"
+            fi
+            echo GIT_REF="$(tail -n 1 /tmp/artifacts/metadata.txt)" >> "$GITHUB_OUTPUT"
+          else
+            echo SHOULD_RUN=true >> "$GITHUB_OUTPUT"
+            echo GIT_REF="" >> "$GITHUB_OUTPUT"
+          fi

ql/test/query-tests/Security/CWE-829/.github/workflows/resolve-args.yml

@@ -0,0 +1,22 @@
+on:
+  schedule:
+    - cron: '7 18 * * *'
+  workflow_run:
+    workflows: [Trigger]
+    types: [completed]
+  workflow_dispatch:
+jobs:
+  resolve:
+    if: (github.repository == 'test/test' && (github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success')) || github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/resolve-args.yml
+    with:
+      comment: "foo"
+  scale:
+    permissions:
+      id-token: write
+      statuses: write
+    needs: [resolve]
+    if: needs.resolve.outputs.SHOULD_RUN == 'true'
+    uses: ./.github/workflows/test27.yml
+    with:
+      git_ref: ${{ needs.resolve.outputs.GIT_REF }}

ql/test/query-tests/Security/CWE-829/.github/workflows/test26.yml

@@ -0,0 +1,22 @@
+on:
+  workflow_dispatch:
+    inputs:
+      git_ref:
+        description: ref
+        type: string
+  workflow_call:
+    inputs:
+      git_ref:
+        type: string
+jobs:
+  run:
+    permissions:
+      id-token: write
+      statuses: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ inputs.git_ref }}
+      - run: |
+          ./cmd

ql/test/query-tests/Security/CWE-829/.github/workflows/test27.yml

@@ -0,0 +1,20 @@
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened, labeled, unlabeled]
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  setup-environment:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'major-update') && (github.actor == 'renovate[bot]' || contains(github.event.pull_request.labels.*.name, 'renovatebot')) }}
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+        with:
+          ref: ${{ github.head_ref }}
+      - run: make foo

ql/test/query-tests/Security/CWE-829/.github/workflows/test28.yml

@@ -7,6 +7,7 @@ edges
 | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step |
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
+| .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
@@ -172,6 +173,9 @@ edges
 | .github/workflows/pr-workflow.yml:453:9:459:6 | Uses Step | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step |
 | .github/workflows/pr-workflow.yml:459:9:462:6 | Run Step | .github/workflows/pr-workflow.yml:462:9:463:48 | Run Step: ok |
 | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step |
+| .github/workflows/resolve-args.yml:19:9:20:6 | Uses Step | .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step |
+| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step |
+| .github/workflows/resolve-args.yml:20:9:22:6 | Uses Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
 | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step |
 | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step |
 | .github/workflows/test1.yml:21:9:24:6 | Run Step | .github/workflows/test1.yml:24:9:25:39 | Run Step |
@@ -279,6 +283,8 @@ edges
 | .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan |
 | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step |
 | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step |
+| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step |
+| .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
@@ -318,10 +324,8 @@ edges
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml |
 | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml |
 | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml |
-| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
 | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
 | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
-| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
 | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
 | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |
 | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | .github/workflows/poc2.yml |
@@ -338,10 +342,10 @@ edges
 | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
 | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
 | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | .github/workflows/test7.yml |
-| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:7:3:7:19 | workflow_dispatch | .github/workflows/test10.yml |
 | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | .github/workflows/test10.yml |
 | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | .github/workflows/test11.yml |
 | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | .github/workflows/test17.yml |
+| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | .github/workflows/test26.yml |
 | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | .github/workflows/untrusted_checkout3.yml |
 | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |
 | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | .github/workflows/untrusted_checkout4.yml |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -1,6 +1,9 @@
 | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |