tests: update tests

Alvaro Muñoz · Alvaro Muñoz · commit f76d4d67d990 · 2024-10-29T22:31:15.000+01:00
diff --git a/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml b/ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml
@@ -60,6 +60,20 @@ jobs:
       id: git-commit
       if: steps.search-patch.outputs.result
       run: |
+          set -x
+          # Set initial placeholder name/mail and read it from the patch later
+          git config --global user.email 'foo@bar'
+          git config --global user.name 'Foo Bar'
+          
+          git am version_increments.patch
+          
+          # Read the author's name+mail from the just applied patch and recommit it with both set as committer
+          botMail=$(git log -1 --pretty=format:'%ae')
+          botName=$(git log -1 --pretty=format:'%an')
+          git config --global user.email "${botMail}"
+          git config --global user.name "${botName}"
+          git commit --amend --no-edit
+          
           fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)
           echo "file-list<<EOF" >> $GITHUB_OUTPUT
           echo "$fileList" >> $GITHUB_OUTPUT
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -13,8 +13,8 @@ edges
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance |  |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance |  |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | provenance |  |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
@@ -234,10 +234,10 @@ nodes
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:88:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -623,8 +623,8 @@ subpaths
 | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:19:19:19:48 | github.event.issue.body | ${{ github.event.issue.body }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
 | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | .github/workflows/composite-action-caller-3.yml:12:19:12:50 | github.event.comment.body | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/actions/action5/action.yml:34:19:34:37 | inputs.taint | ${{ inputs.taint }} | .github/workflows/composite-action-caller-3.yml:3:3:3:15 | issue_comment | issue_comment |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | .github/workflows/composite-action-caller-4.yml:14:19:14:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | ${{ inputs.title }} | .github/workflows/composite-action-caller-4.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:84:28:84:71 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:84:75 | set -x\n# Set initial placeholder name/mail and read it from the patch later\ngit config --global user.email 'foo@bar'\ngit config --global user.name 'Foo Bar'\n\ngit am version_increments.patch\n\n# Read the author's name+mail from the just applied patch and recommit it with both set as committer\nbotMail=$(git log -1 --pretty=format:'%ae')\nbotName=$(git log -1 --pretty=format:'%an')\ngit config --global user.email "${botMail}"\ngit config --global user.name "${botName}"\ngit commit --amend --no-edit\n\nfileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:94:30:94:70 | steps.git-commit.outputs.file-list | ${{ steps.git-commit.outputs.file-list }} | .github/workflows/test22.yml:2:3:2:14 | workflow_run | workflow_run |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-3.yml:10:15:10:52 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | ${{ env.log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user ($@). | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} | .github/workflows/reusable-workflow-caller-3.yml:4:3:4:21 | pull_request_target | pull_request_target |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
