Add CmdI test

Alvaro Muñoz · Alvaro Muñoz · commit ff17d1dcb1d2 · 2024-10-14T12:50:11.000+02:00
diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql
@@ -18,7 +18,9 @@ import PartialFlow::PartialPathGraph
 private module MyConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    source.getLocation().getFile().getBaseName() = "non-existant-test.yml"
+    //source.getLocation().getFile().getBaseName() = "non-existant-test.yml"
+    source.getLocation().getFile().getBaseName() = "test16.yml" and
+    source.getLocation().getStartLine() = 125
   }
 
   predicate isSink(DataFlow::Node sink) { none() }
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test16.yml
@@ -0,0 +1,231 @@
+name: 📤 Preview Deploy
+
+on:
+    workflow_run:
+        workflows:
+            - 🎬 Setup
+        types:
+            - completed
+
+permissions:
+    contents: read
+    pull-requests: write
+
+jobs:
+    setup:
+        if: ${{ github.event.workflow_run.conclusion == 'success' }}
+        runs-on: ubuntu-latest
+
+        outputs:
+            id: ${{ steps.pr.outputs.value }}
+            ref: ${{ steps.ref.outputs.value }}
+            repo: ${{ steps.repo.outputs.value }}
+
+        steps:
+            # Get PR id from artifact
+            - name: download pr artifact
+              uses: dawidd6/action-download-artifact@v2
+              with:
+                  workflow: ${{ github.event.workflow_run.workflow_id }}
+                  run_id: ${{ github.event.workflow_run.id }}
+                  name: pr-id
+
+            - name: get PR id
+              id: pr
+              run: echo "value=$(<pr-id.txt)" >> $GITHUB_OUTPUT
+
+            # Get PR ref from artifact
+            - name: download pr artifact
+              uses: dawidd6/action-download-artifact@v2
+              with:
+                  workflow: ${{ github.event.workflow_run.workflow_id }}
+                  run_id: ${{ github.event.workflow_run.id }}
+                  name: pr-ref
+
+            - name: get PR ref
+              id: ref
+              run: echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT
+
+            # Get PR repo from artifact
+            - name: download pr artifact
+              uses: dawidd6/action-download-artifact@v2
+              with:
+                  workflow: ${{ github.event.workflow_run.workflow_id }}
+                  run_id: ${{ github.event.workflow_run.id }}
+                  name: pr-repo
+
+            - name: get PR repo
+              id: repo
+              run: echo "value=$(<pr-repo.txt)" >> $GITHUB_OUTPUT
+
+    prepare:
+        runs-on: ubuntu-latest
+        needs: [setup]
+
+        steps:
+            # ================= Create Comment =================
+            - name: 🧽 Find And Delete Comment
+              uses: peter-evans/find-comment@v2
+              if: ${{ needs.setup.outputs.id != '' }}
+              id: fc
+              with:
+                  issue-number: ${{ needs.setup.outputs.id }}
+                  comment-author: 'github-actions[bot]'
+                  body-includes: View Deployment
+
+            - name: 📝 Create or update comment
+              uses: peter-evans/create-or-update-comment@v3
+              if: ${{ needs.setup.outputs.id != '' }}
+              with:
+                  comment-id: ${{ steps.fc.outputs.comment-id }}
+                  issue-number: ${{ needs.setup.outputs.id }}
+                  body: |
+                      ## View Deployment
+
+                      [#${{ github.run_id }}](https://github.com/dream-num/univer/actions/runs/${{ github.run_id }})
+
+                      <p align="center">
+                        🥐 🍔 🥓 🥗 🥘 🌯 🍚 🍛 🍖 🍭 🍧 🍝 🥪 🥖 🍪 <br />
+                        Still cooking, please come back later <br />
+                        🥙 🥮 🥨 🌭 🍦 🍙 🍕 🍰 🍮 🍜 🍡 🍱 🍿 🍕 🥟
+                      </p>
+                  edit-mode: replace
+
+    build-demo:
+        runs-on: ubuntu-latest
+        needs: [setup]
+
+        outputs:
+            preview-url: ${{ steps.vercel-demo-dev.outputs.preview-url == '' && steps.vercel-demo.outputs.preview-url || steps.vercel-demo-dev.outputs.preview-url }}
+            commit-message: ${{ steps.commit-message.outputs.value }}
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  repository: ${{ needs.setup.outputs.repo }}
+                  ref: ${{ needs.setup.outputs.ref }}
+
+            - name: Setup pnpm
+              uses: pnpm/action-setup@v4
+              with:
+                  run_install: false
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: 20
+                  cache: pnpm
+
+            - name: Install dependencies
+              run: pnpm install
+
+            - name: Get commit message
+              id: commit-message
+              run: echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT
+
+            #  ================= Deploy Demo =================
+            - name: 📦 Build demo
+              run: pnpm build:demo
+
+            - name: Copy demo to workspace
+              run: |
+                  mkdir .workspace
+                  cp -r ./examples/local/* .workspace
+
+            - name: 🚀 Deploy to Vercel (demo)
+              uses: amondnet/vercel-action@v25
+              if: ${{ needs.setup.outputs.ref == '' }}
+              id: vercel-demo
+              with:
+                  vercel-token: ${{ secrets.VERCEL_TOKEN }}
+                  vercel-org-id: ${{ secrets.ORG_ID }}
+                  vercel-project-id: ${{ secrets.PROJECT_ID}}
+                  vercel-args: --prod
+
+            - name: 🚀 Deploy to Vercel (demo)
+              uses: amondnet/vercel-action@v25
+              if: ${{ needs.setup.outputs.ref != '' }}
+              id: vercel-demo-dev
+              with:
+                  vercel-token: ${{ secrets.VERCEL_TOKEN }}
+                  vercel-org-id: ${{ secrets.ORG_ID }}
+                  vercel-project-id: ${{ secrets.PROJECT_ID}}
+
+    build-storybook:
+        runs-on: ubuntu-latest
+        needs: [setup]
+
+        outputs:
+            preview-url: ${{ steps.vercel-storybook-dev.outputs.preview-url == '' && steps.vercel-storybook.outputs.preview-url || steps.vercel-storybook-dev.outputs.preview-url }}
+
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+              with:
+                  repository: ${{ needs.setup.outputs.repo }}
+                  ref: ${{ needs.setup.outputs.ref }}
+
+            - name: Setup pnpm
+              uses: pnpm/action-setup@v4
+              with:
+                  run_install: false
+
+            - name: Setup Node.js
+              uses: actions/setup-node@v4
+              with:
+                  node-version: 20
+                  cache: pnpm
+
+            - name: Install dependencies
+              run: pnpm install
+
+            # ================= Deploy Storybook =================
+            - name: 📦 Build storybook
+              run: pnpm storybook:build
+
+            - name: 🚀 Deploy to Vercel (demo)
+              uses: amondnet/vercel-action@v25
+              if: ${{ needs.setup.outputs.ref == '' }}
+              id: vercel-storybook
+              with:
+                  vercel-token: ${{ secrets.VERCEL_TOKEN }}
+                  vercel-org-id: ${{ secrets.ORG_ID }}
+                  vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}}
+                  vercel-args: --prod
+
+            - name: 🚀 Deploy to Vercel (storybook)
+              uses: amondnet/vercel-action@v25
+              if: ${{ needs.setup.outputs.ref != '' }}
+              id: vercel-storybook-dev
+              with:
+                  vercel-token: ${{ secrets.VERCEL_TOKEN }}
+                  vercel-org-id: ${{ secrets.ORG_ID }}
+                  vercel-project-id: ${{ secrets.PROJECT_ID_STORYBOOK}}
+
+    notify:
+        runs-on: ubuntu-latest
+        needs: [setup, build-demo, build-storybook]
+
+        steps:
+            - name: Invoke deployment hook
+              uses: actions/github-script@v3
+              with:
+                  script: >
+                      {
+                          "type": "build",
+                          "workflow": {
+                              "id": "${{ github.run_id }}"
+                          },
+                          "commit": {
+                              "ref": "${{ needs.setup.outputs.ref }}",
+                              "message": "${{ needs.build-demo.outputs.commit-message }}",
+                              "id": "${{ github.event.workflow_run.head_commit.id }}",
+                              "author": "${{ github.event.workflow_run.head_commit.author.name }}"
+                          },
+                          "preview": {
+                              "📑 Examples": "${{ needs.build-demo.outputs.preview-url }}/",
+                              "📚 Storybook": "${{ needs.build-storybook.outputs.preview-url }}/"
+                          }
+                      }
+
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -145,6 +145,16 @@ edges
 | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:23:5:29:2 | Job: test3 [TITLE] | provenance |  |
 | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | provenance |  |
 | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | provenance |  |
+| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | provenance |  |
+| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | provenance |  |
+| .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | provenance | Config |
+| .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | provenance | Config |
+| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | provenance |  |
+| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | provenance |  |
+| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | provenance |  |
+| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | provenance |  |
+| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | provenance |  |
+| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -449,6 +459,19 @@ nodes
 | .github/workflows/test15.yml:30:5:36:37 | Job: test4 [TITLE] | semmle.label | Job: test4 [TITLE] |
 | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | semmle.label | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n |
 | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | semmle.label | env.TITLE |
+| .github/workflows/test16.yml:20:13:24:8 | Job outputs node [ref] | semmle.label | Job outputs node [ref] |
+| .github/workflows/test16.yml:21:19:21:48 | steps.ref.outputs.value | semmle.label | steps.ref.outputs.value |
+| .github/workflows/test16.yml:26:15:33:12 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test16.yml:38:15:45:12 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test16.yml:45:15:50:12 | Run Step: ref [value] | semmle.label | Run Step: ref [value] |
+| .github/workflows/test16.yml:47:20:47:64 | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(<pr-ref.txt)" >> $GITHUB_OUTPUT |
+| .github/workflows/test16.yml:99:13:102:8 | Job outputs node [commit-message] | semmle.label | Job outputs node [commit-message] |
+| .github/workflows/test16.yml:100:30:100:70 | steps.commit-message.outputs.value | semmle.label | steps.commit-message.outputs.value |
+| .github/workflows/test16.yml:123:15:128:12 | Run Step: commit-message [value] | semmle.label | Run Step: commit-message [value] |
+| .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | semmle.label | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT |
+| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | semmle.label | github.event.workflow_run.head_commit.author.name |
+| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | semmle.label | needs.build-demo.outputs.commit-message |
+| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | semmle.label | needs.setup.outputs.ref |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -596,6 +619,10 @@ subpaths
 | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | .github/workflows/test15.yml:18:14:20:53 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "title=$PR_TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:21:21:21:52 | steps.title.outputs.title | ${{ steps.title.outputs.title }} |
 | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | .github/workflows/test15.yml:26:14:27:100 | echo "TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:28:21:28:36 | env.TITLE | ${{ env.TITLE }} |
 | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | .github/workflows/test15.yml:33:14:35:50 | PR_TITLE=$(jq --raw-output .pull_request.title ${GITHUB_EVENT_PATH})\necho "TITLE=$PR_TITLE" >> "$GITHUB_ENV"\n | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test15.yml:36:21:36:36 | env.TITLE | ${{ env.TITLE }} |
+| .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | github.event.workflow_run.head_commit.author.name | ${{ github.event.workflow_run.head_commit.author.name }} |
+| .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | .github/workflows/test16.yml:125:20:125:75 | echo "value=$(git log -1 --pretty=%s)" >> $GITHUB_OUTPUT | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.build-demo.outputs.commit-message | ${{ needs.build-demo.outputs.commit-message }} |
+| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:26:15:33:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} |
+| .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | .github/workflows/test16.yml:38:15:45:12 | Uses Step | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test16.yml:215:19:230:24 | needs.setup.outputs.ref | ${{ needs.setup.outputs.ref }} |
 | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
 | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
