github
diff --git a/‎ql/test/library-tests/poisonable_steps.expected
Lines changed: 2 additions & 0 deletions b/‎ql/test/library-tests/poisonable_steps.expected
Lines changed: 2 additions & 0 deletions
diff --git a/‎ql/test/library-tests/test.ql
Lines changed: 1 addition & 1 deletion b/‎ql/test/library-tests/test.ql
Lines changed: 1 addition & 1 deletion
diff --git a/‎ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/calling_composite.yml b/‎ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/calling_composite.yml
diff --git a/‎ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/calling_workflow.yml b/‎ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/calling_workflow.yml
diff --git a/‎ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml b/‎ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml renamed to ‎ql/test/query-tests/Models/.github/workflows/reusable_workflow.yml
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSinks.expected b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSinks.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSinks.qlref b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSinks.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSources.expected b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSources.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSources.qlref b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSources.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSummaries.expected b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected renamed to ‎ql/test/query-tests/Models/CompositeActionsSummaries.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSummaries.qlref b/‎ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref renamed to ‎ql/test/query-tests/Models/CompositeActionsSummaries.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSinks.expected b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSinks.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSinks.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSources.expected b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSources.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSources.qlref b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSources.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSummaries.expected
diff --git a/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref b/‎ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref renamed to ‎ql/test/query-tests/Models/ReusableWorkflowsSummaries.qlref
diff --git a/‎ql/test/query-tests/Security/CWE-020/action1/action.yml renamed to ‎ql/test/query-tests/Models/action1/action.yml b/‎ql/test/query-tests/Security/CWE-020/action1/action.yml renamed to ‎ql/test/query-tests/Models/action1/action.yml
diff --git a/‎ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
Lines changed: 8 additions & 8 deletions b/‎ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.expected
Lines changed: 8 additions & 8 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
Lines changed: 23 additions & 0 deletions b/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test13.yml
Lines changed: 23 additions & 0 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
Lines changed: 30 additions & 0 deletions b/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test14.yml
Lines changed: 30 additions & 0 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
Lines changed: 29 additions & 0 deletions b/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test15.yml
Lines changed: 29 additions & 0 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
Lines changed: 0 additions & 2 deletions b/‎ql/test/query-tests/Security/CWE-077/.github/workflows/test8.yml
Lines changed: 0 additions & 2 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
Lines changed: 5 additions & 6 deletions b/‎ql/test/query-tests/Security/CWE-077/EnvPathInjectionCritical.expected
Lines changed: 5 additions & 6 deletions
diff --git a/‎ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
Lines changed: 5 additions & 6 deletions b/‎ql/test/query-tests/Security/CWE-077/EnvPathInjectionMedium.expected
Lines changed: 5 additions & 6 deletions
@@ -1,3 +1,5 @@
+| .github/workflows/multiline2.yml:63:9:66:6 | Run Step |
+| .github/workflows/multiline.yml:63:9:66:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |
 | .github/workflows/poisonable_steps.yml:13:9:14:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:14:9:15:6 | Run Step |
 
@@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri
         "${parameter21%%pattern}", "${parameter22/pattern/string}",
         "${parameter23//pattern/string}",
       ] and
-    Bash::isBashParameterExpansion(test, parameter, operator, params)
+    Bash::isParameterExpansion(test, parameter, operator, params)
   )
 }
@@ -1,12 +1,12 @@
 edges
-| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance |  |
-| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance |  |
-| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance |  |
-| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance |  |
-| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | provenance |  |
-| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | provenance |  |
-| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | provenance |  |
-| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | provenance |  |
+| .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | provenance | Config |
+| .github/workflows/output1.yml:30:9:35:6 | Uses Step | .github/workflows/output1.yml:36:14:38:58 | echo "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$(<pr-number)" >> $GITHUB_OUTPUT\n | provenance | Config |
+| .github/workflows/output2.yml:9:18:9:49 | github.event.comment.body | .github/workflows/output2.yml:10:14:13:48 | # VULNERABLE\necho $BODY\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
+| .github/workflows/output2.yml:16:18:16:49 | github.event.comment.body | .github/workflows/output2.yml:17:14:20:21 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\necho $BODY\n | provenance | Config |
+| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:42:14:46:48 | # VULNERABLE\nPR="$(<pr-number)"\necho "$PR"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
+| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:48:14:51:48 | # VULNERABLE\ncat pr-number\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
+| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:53:14:56:19 | # VULNERABLE\necho "::set-output name=OUTPUT::SAFE"\nls *.txt\n | provenance | Config |
+| .github/workflows/output2.yml:36:9:41:6 | Uses Step | .github/workflows/output2.yml:58:14:62:48 | # VULNERABLE\nCURRENT_VERSION=$(cat gradle.properties \| sed -n '/^version=/ { s/^version=//;p }')\necho "$CURRENT_VERSION"\necho "::set-output name=OUTPUT::SAFE"\n | provenance | Config |
 nodes
 | .github/workflows/output1.yml:9:18:9:49 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/output1.yml:10:14:13:50 | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n | semmle.label | # VULNERABLE\necho "OUTPUT_1=HARDCODED" >> $GITHUB_OUTPUT\necho "OUTPUT_2=$BODY" >> $GITHUB_OUTPUT\n |
 
@@ -0,0 +1,23 @@
+name: publish
+on:
+  pull_request_target:
+    branches:
+      - main
+jobs:
+  need-publish:
+    permissions:
+      actions: write 
+    name: Need Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Get commit message
+        run: |
+          COMMIT_MESSAGE=$(git log --format=%s)
+          echo "COMMIT_MESSAGE=${COMMIT_MESSAGE}" >> $GITHUB_ENV
+      - name: Get commit message
+        run: |
+          echo "COMMIT_MESSAGE=$(git log --format=%s)" >> $GITHUB_ENV
@@ -0,0 +1,30 @@
+name: Pull Request Open
+
+on:
+  pull_request_target:
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - id: changed-files
+        run: |
+          echo "CHANGED-FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)" >> "$GITHUB_ENV"
+      - run: echo "${{ env.CHANGED-FILES }}"
+  test2:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - id: changed-files
+        run: |
+          FILES=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} -- docs/)
+          echo "CHANGED-FILES=${FILES}" >> "$GITHUB_ENV"
+      - run: echo "${{ env.CHANGED-FILES }}"
+
+
+
@@ -0,0 +1,29 @@
+name: Pull Request Open
+
+on:
+  pull_request_target:
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title 
+        run: |
+          echo "BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})" >> "$GITHUB_ENV"
+      - run: echo "$TITLE"
+  test2:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title 
+        run: |
+          PR_BODY=$(jq --raw-output .pull_request.body ${GITHUB_EVENT_PATH})
+          echo "BODY=$PR_BODY" >> "$GITHUB_ENV"
+      - run: echo "$TITLE"
+  test3:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "branch_name=$(jq --raw-output .pull_request.head.ref $GITHUB_EVENT_PATH)" >> $GITHUB_ENV
+
+
+
@@ -20,8 +20,6 @@ jobs:
         contents: write
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: foo
 
       - name: Download and Extract Artifacts
         uses: dawidd6/action-download-artifact@v6
 
@@ -1,10 +1,9 @@
 edges
-| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
-| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
+| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
 nodes
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
 
@@ -1,10 +1,9 @@
 edges
-| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance |  |
-| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
-| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance |  |
+| .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:16:21:16:58 | github.event.pull_request.title | .github/workflows/path1.yml:17:14:17:42 | echo $PATHINJ >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:19:21:19:58 | github.event.pull_request.title | .github/workflows/path1.yml:20:14:20:44 | echo ${PATHINJ} >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:21:9:25:6 | Uses Step | .github/workflows/path1.yml:25:14:25:50 | echo "$(cat foo/bar)" >> $GITHUB_PATH | provenance | Config |
+| .github/workflows/path1.yml:28:21:28:58 | github.event.pull_request.title | .github/workflows/path1.yml:29:14:29:40 | echo "::add-path::$PATHINJ" | provenance | Config |
 nodes
 | .github/workflows/path1.yml:13:21:13:58 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/path1.yml:14:14:14:52 | echo $(echo "$PATHINJ") >> $GITHUB_PATH | semmle.label | echo $(echo "$PATHINJ") >> $GITHUB_PATH |
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+\| .github/workflows/multiline2.yml:63:9:66:6 \| Run Step \|`
	`2`	`+\| .github/workflows/multiline.yml:63:9:66:6 \| Run Step \|`
`1`	`3`	`\| .github/workflows/poisonable_steps.yml:8:9:13:6 \| Uses Step \|`
`2`	`4`	`\| .github/workflows/poisonable_steps.yml:13:9:14:6 \| Run Step \|`
`3`	`5`	`\| .github/workflows/poisonable_steps.yml:14:9:15:6 \| Run Step \|`
Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,6 @@ query predicate isBashParameterExpansion(string parameter, string operator, stri`
`150`	`150`	`"${parameter21%%pattern}", "${parameter22/pattern/string}",`
`151`	`151`	`"${parameter23//pattern/string}",`
`152`	`152`	`] and`
`153`		`- Bash::isBashParameterExpansion(test, parameter, operator, params)`
	`153`	`+ Bash::isParameterExpansion(test, parameter, operator, params)`
`154`	`154`	`)`
`155`	`155`	`}`