michaelnebel
diff --git a/‎ql/lib/codeql/actions/Helper.qll
Lines changed: 169 additions & 115 deletions b/‎ql/lib/codeql/actions/Helper.qll
Lines changed: 169 additions & 115 deletions
diff --git a/‎ql/lib/codeql/actions/ast/internal/Ast.qll
Lines changed: 14 additions & 7 deletions b/‎ql/lib/codeql/actions/ast/internal/Ast.qll
Lines changed: 14 additions & 7 deletions
@@ -10,148 +10,202 @@ string normalizeExpr(string expr) {
 }
 
 bindingset[regex]
-string wrapRegexp(string regex) {
-  result =
-    [
-      "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)",
-      "toJSON\\(\\s*" + regex + "\\s*\\)"
-    ]
+string wrapRegexp(string regex) { result = "\\b" + regex + "\\b" }
+
+bindingset[regex]
+string wrapJsonRegexp(string regex) {
+  result = ["fromJSON\\(\\s*" + regex + "\\s*\\)", "toJSON\\(\\s*" + regex + "\\s*\\)"]
 }
 
 bindingset[str]
 private string trimQuotes(string str) {
   result = str.trim().regexpReplaceAll("^(\"|')", "").regexpReplaceAll("(\"|')$", "")
 }
 
-bindingset[line, var]
-predicate extractLineAssignment(string line, string var, string key, string value) {
-  exists(string assignment |
-    // single line assignment
-    assignment =
-      line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_" +
-          var.toUpperCase() + "(\\})?(\"|')?", 2) and
-    count(assignment.splitAt("=")) = 2 and
-    key = trimQuotes(assignment.splitAt("=", 0)) and
-    value = trimQuotes(assignment.splitAt("=", 1))
+/** Checks if expr is a bash parameter expansion */
+bindingset[expr]
+predicate isBashParameterExpansion(string expr, string parameter, string operator, string params) {
+  exists(string regexp |
+    // $VAR
+    regexp = "\\$([a-zA-Z_][a-zA-Z0-9_]+)\\b" and
+    parameter = expr.regexpCapture(regexp, 1) and
+    operator = "" and
+    params = ""
+    or
+    // ${VAR}
+    regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)\\}" and
+    parameter = expr.regexpCapture(regexp, 1) and
+    operator = "" and
+    params = ""
     or
-    // workflow command assignment
-    assignment =
-      line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::set-" + var.toLowerCase() +
-          "\\s+name=(.*)(\"|')?", 3).regexpReplaceAll("^\"", "").regexpReplaceAll("\"$", "") and
-    key = trimQuotes(assignment.splitAt("::", 0)) and
-    value = trimQuotes(assignment.splitAt("::", 1))
+    // ${!VAR}
+    regexp = "\\$\\{([!#])([a-zA-Z_][a-zA-Z0-9_]*)\\}" and
+    parameter = expr.regexpCapture(regexp, 2) and
+    operator = expr.regexpCapture(regexp, 1) and
+    params = ""
+    or
+    // ${VAR<OP><PARAMS>}, ...
+    regexp = "\\$\\{([a-zA-Z_][a-zA-Z0-9_]*)([#%/:^,\\-+]{1,2})?(.*?)\\}" and
+    parameter = expr.regexpCapture(regexp, 1) and
+    operator = expr.regexpCapture(regexp, 2) and
+    params = expr.regexpCapture(regexp, 3)
   )
 }
 
-bindingset[var]
-private string multilineAssignmentRegex(string var) {
-  // eg:
-  // echo "PR_TITLE<<EOF" >> $GITHUB_ENV
-  // echo "$TITLE" >> $GITHUB_ENV
-  // echo "EOF" >> $GITHUB_ENV
-  result =
-    ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
-      + var.toUpperCase() + "(\\})?(\"|')?.*"
-}
-
-bindingset[var]
-private string multilineBlockAssignmentRegex(string var) {
-  // eg:
-  // {
-  //   echo 'JSON_RESPONSE<<EOF'
-  //   echo "$TITLE" >> "$GITHUB_ENV"
-  //   echo EOF
-  // } >> "$GITHUB_ENV"
-  result =
-    ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
-      + var.toUpperCase() + "(\\})?(\"|')?.*"
+// TODO, the followinr test fails
+bindingset[raw_content]
+predicate extractVariableAndValue(string raw_content, string key, string value) {
+  exists(string regexp, string content | content = trimQuotes(raw_content) |
+    regexp = "(?msi).*^([a-zA-Z_][a-zA-Z0-9_]*)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\2\\s*$" and
+    key = trimQuotes(content.regexpCapture(regexp, 1)) and
+    value = trimQuotes(content.regexpCapture(regexp, 3))
+    or
+    exists(string line |
+      line = content.splitAt("\n") and
+      regexp = "(?i)^([a-zA-Z_][a-zA-Z0-9_\\-]*)\\s*=\\s*(.*)$" and
+      key = trimQuotes(line.regexpCapture(regexp, 1)) and
+      value = trimQuotes(line.regexpCapture(regexp, 2))
+    )
+  )
 }
 
-bindingset[var]
-private string multilineHereDocAssignmentRegex(string var) {
-  // eg:
-  // cat <<-EOF >> "$GITHUB_ENV"
-  //   echo "FOO=$TITLE"
-  // EOF
-  result =
-    ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() +
-      "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*"
+bindingset[script]
+predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) {
+  exists(string regexp |
+    regexp = "(?i)(echo|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and
+    cmd = script.regexpCapture(regexp, 1) and
+    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    filters = "" and
+    content = script.regexpCapture(regexp, 2)
+  )
 }
 
-bindingset[script, var]
-predicate extractMultilineAssignment(string script, string var, string key, string value) {
-  // multiline assignment
-  exists(string flattenedScript |
-    flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and
-    value =
-      "$(" +
-        trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 4))
-            .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() +
-                "(\\})?(\"|')?", "")
-            .replaceAll("::NEW_LINE::", "\n")
-            .trim()
-            .splitAt("\n") + ")" and
-    key = trimQuotes(flattenedScript.regexpCapture(multilineAssignmentRegex(var), 2))
+bindingset[script]
+predicate singleLineWorkflowCmd(string script, string cmd, string key, string value) {
+  exists(string regexp |
+    regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(set-[a-z]+)\\s*name\\s*=\\s*(.*?)::(.*)" and
+    cmd = script.regexpCapture(regexp, 3) and
+    key = script.regexpCapture(regexp, 4) and
+    value = trimQuotes(script.regexpCapture(regexp, 5))
+    or
+    regexp = "(?i)(echo|write-output)\\s*(['|\"])?::(add-[a-z]+)\\s*::(.*)" and
+    cmd = script.regexpCapture(regexp, 3) and
+    key = "" and
+    value = trimQuotes(script.regexpCapture(regexp, 4))
   )
-  or
-  // multiline block assignment
-  exists(string flattenedScript |
-    flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and
-    value =
-      "$(" +
-        trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 5))
-            .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() +
-                "(\\})?(\"|')?", "")
-            .replaceAll("::NEW_LINE::", "\n")
-            .trim()
-            .splitAt("\n") + ")" and
-    key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3))
+}
+
+bindingset[script]
+predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) {
+  exists(string regexp |
+    regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and
+    cmd = script.regexpCapture(regexp, 1) and
+    file = trimQuotes(script.regexpCapture(regexp, 3)) and
+    content = script.regexpCapture(regexp, 5) and
+    filters = ""
+    or
+    regexp =
+      "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and
+    cmd = script.regexpCapture(regexp, 1) and
+    file = trimQuotes(script.regexpCapture(regexp, 6)) and
+    filters = script.regexpCapture(regexp, 4) and
+    content = script.regexpCapture(regexp, 7)
   )
-  or
-  // multiline heredoc assignment
-  exists(string flattenedScript |
-    flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and
-    value =
-      trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3))
-          .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() +
-              "(\\})?(\"|')?", "")
-          .replaceAll("::NEW_LINE::", "\n")
-          .trim()
-          .splitAt("\n") and
-    key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2))
+}
+
+bindingset[script]
+predicate linesFileWrite(string script, string cmd, string file, string content, string filters) {
+  exists(string regexp |
+    regexp =
+      "(?msi).*(echo\\s+['|\"]?(.*?<<(\\S+))['|\"]?\\s*>>\\s*(\\S+)\\s*[\r\n]+)" +
+        "(((.*?)\\s*>>\\s*\\S+\\s*[\r\n]+)+)" +
+        "(echo\\s+['|\"]?(EOF)['|\"]?\\s*>>\\s*\\S+\\s*[\r\n]*).*" and
+    content =
+      trimQuotes(script.regexpCapture(regexp, 2)) + "\n" + "$(" +
+        trimQuotes(script.regexpCapture(regexp, 5)) +
+        // TODO: there are some >> $GITHUB_ENV, >> $GITHUB_OUTPUT, >> "$GITHUB_ENV" lefotvers in content
+        //.regexpReplaceAll("\\s*(>|>>)\\s*\\$[{]*" + file + "(.*?)[}]*", "")
+        ")\n" + trimQuotes(script.regexpCapture(regexp, 3)) and
+    cmd = "echo" and
+    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    filters = ""
   )
 }
 
-bindingset[line]
-predicate extractPathAssignment(string line, string value) {
-  exists(string path |
-    // single path assignment
-    path =
-      line.regexpCapture("(echo|Write-Output)\\s+(.*)>>\\s*(\"|')?\\$(\\{)?GITHUB_PATH(\\})?(\"|')?",
-        2) and
-    value = trimQuotes(path)
-    or
-    // workflow command assignment
-    path =
-      line.regexpCapture("(echo|Write-Output)\\s+(\"|')?::add-path::(.*)(\"|')?", 3)
-          .regexpReplaceAll("^\"", "")
-          .regexpReplaceAll("\"$", "") and
-    value = trimQuotes(path)
+bindingset[script]
+predicate blockFileWrite(string script, string cmd, string file, string content, string filters) {
+  exists(string regexp |
+    regexp =
+      "(?msi).*^\\s*\\{\\s*[\r\n]" +
+        //
+        "(.*?)" +
+        //
+        "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and
+    content =
+      script
+          .regexpCapture(regexp, 1)
+          .regexpReplaceAll("(?m)^[ ]*echo\\s*['\"](.*?)['\"]", "$1")
+          .regexpReplaceAll("(?m)^[ ]*echo\\s*", "") and
+    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    cmd = "echo" and
+    filters = ""
+  )
+}
+
+bindingset[script]
+predicate multiLineFileWrite(string script, string cmd, string file, string content, string filters) {
+  heredocFileWrite(script, cmd, file, content, filters)
+  or
+  linesFileWrite(script, cmd, file, content, filters)
+  or
+  blockFileWrite(script, cmd, file, content, filters)
+}
+
+bindingset[script, file_var]
+predicate extractFileWrite(string script, string file_var, string content) {
+  // single line assignment
+  exists(string file_expr, string raw_content |
+    isBashParameterExpansion(file_expr, file_var, _, _) and
+    singleLineFileWrite(script.splitAt("\n"), _, file_expr, raw_content, _) and
+    content = trimQuotes(raw_content)
+  )
+  or
+  // workflow command assignment
+  exists(string key, string value, string cmd |
+    (
+      file_var = "GITHUB_ENV" and
+      cmd = "set-env" and
+      content = key + "=" + value
+      or
+      file_var = "GITHUB_OUTPUT" and
+      cmd = "set-output" and
+      content = key + "=" + value
+      or
+      file_var = "GITHUB_PATH" and
+      cmd = "add-path" and
+      content = value
+    ) and
+    singleLineWorkflowCmd(script.splitAt("\n"), cmd, key, value)
+  )
+  or
+  // multiline assignment
+  exists(string file_expr, string raw_content |
+    multiLineFileWrite(script, _, file_expr, raw_content, _) and
+    isBashParameterExpansion(file_expr, file_var, _, _) and
+    content = trimQuotes(raw_content)
   )
 }
 
-predicate writeToGitHubEnv(Run run, string key, string value) {
-  extractLineAssignment(run.getScript().splitAt("\n"), "ENV", key, value) or
-  extractMultilineAssignment(run.getScript(), "ENV", key, value)
+predicate writeToGitHubEnv(Run run, string content) {
+  extractFileWrite(run.getScript(), "GITHUB_ENV", content)
 }
 
-predicate writeToGitHubOutput(Run run, string key, string value) {
-  extractLineAssignment(run.getScript().splitAt("\n"), "OUTPUT", key, value) or
-  extractMultilineAssignment(run.getScript(), "OUTPUT", key, value)
+predicate writeToGitHubOutput(Run run, string content) {
+  extractFileWrite(run.getScript(), "GITHUB_OUTPUT", content)
 }
 
-predicate writeToGitHubPath(Run run, string value) {
-  extractPathAssignment(run.getScript().splitAt("\n"), value)
+predicate writeToGitHubPath(Run run, string content) {
+  extractFileWrite(run.getScript(), "GITHUB_PATH", content)
 }
 
 predicate inPrivilegedCompositeAction(AstNode node) {
 
@@ -749,12 +749,19 @@ class JobImpl extends AstNodeImpl, TJobNode {
   /** Holds if the job can be triggered by an external actor. */
   predicate isExternallyTriggerable() {
     // the job is triggered by an event that can be triggered externally
-    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or
+    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName())
+    or
     // the job is triggered by a workflow_call event that can be triggered externally
     this.getATriggerEvent().getName() = "workflow_call" and
-    (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger))
-    or 
-    this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable())
+    (
+      exists(ExpressionImpl e, string external_trigger |
+        e.getEnclosingJob() = this and
+        e.getExpression().matches("%github.event" + external_trigger + "%") and
+        externallyTriggerableEventsDataModel(external_trigger)
+      )
+      or
+      this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable()
+    )
   }
 
   /** Holds if the job is privileged. */
@@ -781,9 +788,9 @@ class JobImpl extends AstNodeImpl, TJobNode {
   private predicate hasExplicitSecretAccess() {
     // the job accesses a secret other than GITHUB_TOKEN
     exists(SecretsExpressionImpl expr |
-      (expr.getEnclosingJob() = this  or not exists(expr.getEnclosingJob()))  and
+      (expr.getEnclosingJob() = this or not exists(expr.getEnclosingJob())) and
       expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and
-      not expr.getFieldName() = "GITHUB_TOKEN" 
+      not expr.getFieldName() = "GITHUB_TOKEN"
     )
   }
 
@@ -814,7 +821,7 @@ class JobImpl extends AstNodeImpl, TJobNode {
     // the Job is triggered by an event other than `pull_request`
     count(this.getATriggerEvent()) = 1 and
     not this.getATriggerEvent().getName() = "pull_request" and
-    not this.getATriggerEvent().getName() = "workflow_call" 
+    not this.getATriggerEvent().getName() = "workflow_call"
     or
     // the Workflow is a Reusable Workflow only and there is
     // a privileged caller workflow or we cant find a caller