fix: Add versioned python binaries to poisonable steps

Alvaro Muñoz · Alvaro Muñoz · commit ea20e9b33702 · 2024-11-03T22:29:20.000+01:00
diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml
@@ -47,8 +47,8 @@ extensions:
       - ["poetry"]
       - ["pylint"]
       - ["pytest"]
-      - ["python\\s+-m\\s+pip\\s+install\\s+-r"]
-      - ["python\\s+-m\\s+pip\\s+install\\s+--requirement"]
+      - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+-r"]
+      - ["python[\\d\\.]*\\s+-m\\s+pip\\s+install\\s+--requirement"]
       - ["rake"]
       - ["rails\\s+db:create"]
       - ["rails\\s+assets:precompile"]
@@ -69,7 +69,7 @@ extensions:
       - ["(\\.\\s+[^\\s]+)\\b", 1] # eg: . venv/bin/activate
       - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2]
       - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2]
-      - ["(python)\\s+([^\\s]+)\\.py\\b", 2]
+      - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2]
       - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2]
       - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3]
       - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2]
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test4.yml
@@ -44,3 +44,4 @@ jobs:
       uses: actions/upload-pages-artifact@v1
       with:
         path: './workspaces/www/build'
+    - run: python2.7 foo.py
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test7.yml
@@ -56,3 +56,4 @@ jobs:
           echo "$processed" >> $GITHUB_OUTPUT
           echo "BENCHEOF" >> $GITHUB_OUTPUT
         shell: bash
+      - run: python2.7 foo.py
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -189,7 +189,8 @@ edges
 | .github/workflows/test4.yml:38:7:40:4 | Run Step | .github/workflows/test4.yml:40:7:41:4 | Run Step |
 | .github/workflows/test4.yml:40:7:41:4 | Run Step | .github/workflows/test4.yml:41:7:42:4 | Run Step |
 | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step |
-| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:47:4 | Uses Step |
+| .github/workflows/test4.yml:43:7:47:4 | Uses Step | .github/workflows/test4.yml:47:7:47:28 | Run Step |
 | .github/workflows/test5.yml:13:9:28:6 | Uses Step: issue | .github/workflows/test5.yml:28:9:32:6 | Uses Step |
 | .github/workflows/test5.yml:28:9:32:6 | Uses Step | .github/workflows/test5.yml:32:9:34:2 | Run Step |
 | .github/workflows/test5.yml:39:9:54:6 | Uses Step: issue | .github/workflows/test5.yml:54:9:58:6 | Uses Step |
@@ -202,7 +203,8 @@ edges
 | .github/workflows/test7.yml:27:9:33:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step |
 | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:36:9:39:6 | Run Step |
 | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command |
-| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr |
+| .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:59:9:59:30 | Run Step |
 | .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step |
 | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step |
 | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step |
@@ -342,7 +344,8 @@ edges
 | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:59:9:59:30 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:59:30 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
 | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
 | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
