Update ql suites

Alvaro Muñoz · Alvaro Muñoz · commit 28af21c55623 · 2024-06-05T08:57:43.000+02:00
diff --git a/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -13,8 +13,9 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
       this.asExpr() = run.getScriptScalar() and
       step.getAFollowingStep() = run and
       writeToGitHubPath(run, value) and
-      // TODO: add support for other commands like `<`, `jq`, ...
-      value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
+      // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV)
+      value
+          .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"])
     )
   }
 }
diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -26,8 +26,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
       step.getAFollowingStep() = run and
       writeToGitHubEnv(run, content) and
       extractVariableAndValue(content, _, value) and
-      // TODO: add support for other commands like `<`, `jq`, ...
-      value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
+      // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV)
+      value
+          .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"])
     )
   }
 }
diff --git a/ql/src/Debug/partial.ql b/ql/src/Debug/partial.ql
@@ -5,6 +5,8 @@
  * @precision low
  * @problem.severity error
  * @id actions/test-dataflow
+ * @tags actions
+ *       debug
  */
 
 import actions
diff --git a/ql/src/codeql-suites/actions-all.qls b/ql/src/codeql-suites/actions-all.qls
@@ -4,3 +4,7 @@
     kind:
       - problem
       - path-problem
+- exclude:
+    tags contain:
+      - debug
+      - model-generator
diff --git a/ql/src/codeql-suites/actions-code-scanning.qls b/ql/src/codeql-suites/actions-code-scanning.qls
@@ -17,3 +17,5 @@
     tags contain:
       - experimental
       - testing
+      - debug
+      - model-generator

Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,9 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {`
`13`	`13`	`this.asExpr() = run.getScriptScalar() and`
`14`	`14`	`step.getAFollowingStep() = run and`
`15`	`15`	`writeToGitHubPath(run, value) and`
`16`		- // TODO: add support for other commands like `<`, `jq`, ...
`17`		- value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
	`16`	+ // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV)
	`17`	`+ value`
	`18`	+ .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"])
`18`	`19`	`)`
`19`	`20`	`}`
`20`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,8 +26,9 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {`
`26`	`26`	`step.getAFollowingStep() = run and`
`27`	`27`	`writeToGitHubEnv(run, content) and`
`28`	`28`	`extractVariableAndValue(content, _, value) and`
`29`		- // TODO: add support for other commands like `<`, `jq`, ...
`30`		- value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
	`29`	+ // (eg: echo DATABASE_SHA=`yq '.creationMetadata.sha' codeql-database.yml` >> $GITHUB_ENV)
	`30`	`+ value`
	`31`	+ .regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<", "jq\\s+", "yq\\s+"] + ".*" + ["`", "\\)"])
`31`	`32`	`)`
`32`	`33`	`}`
`33`	`34`	`}`