new tests

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -44,7 +44,7 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep
     ) and
     (
       not exists(this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])) or
-      not this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])
+      this.getArgument(["run-id", "run_id", "workflow-run-id", "workflow_run_id"])
           .matches("%github.event.workflow_run.id%")
     ) and
     (

ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning7.yml

@@ -0,0 +1,21 @@
+# Second Workflow
+# It consumes an artifact produced by the First Workflow
+
+on: workflow_run
+jobs:
+  my-second-job:
+    steps:
+      - name: download pr artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+            workflow: ${{github.event.workflow_run.workflow_id}}
+            run_id: ${{github.event.workflow_run.id}}
+            name: artifact
+
+      # Save PR id to output
+      - name: Save artifact data
+        id: artifact
+        run: echo "::set-output name=id::$(<artifact.txt)"
+
+      - name: Use artifact
+        run: echo ${{ steps.artifact.outputs.id }} 

ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -6,6 +6,9 @@ edges
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files |
@@ -91,6 +94,10 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
@@ -265,6 +272,7 @@ subpaths
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
+| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -6,6 +6,9 @@ edges
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files |
@@ -91,6 +94,10 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning7.yml:16:9:20:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
+| .github/workflows/artifactpoisoning7.yml:18:14:18:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
+| .github/workflows/artifactpoisoning7.yml:21:20:21:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
 | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
 | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |

ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning7.yml

@@ -0,0 +1,21 @@
+# Second Workflow
+# It consumes an artifact produced by the First Workflow
+
+on: workflow_run
+jobs:
+  my-second-job:
+    steps:
+      - name: download pr artifact
+        uses: dawidd6/action-download-artifact@v2
+        with:
+            workflow: ${{github.event.workflow_run.workflow_id}}
+            run_id: ${{github.event.workflow_run.id}}
+            name: artifact
+
+      # Save PR id to output
+      - name: Save artifact data
+        id: artifact
+        run: echo "::set-output name=id::$(<artifact.txt)"
+
+      - name: Use artifact
+        run: echo ${{ steps.artifact.outputs.id }} 

ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -1,5 +1,6 @@
 | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
+| .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Unpinned 3rd party Action 'artifactpoisoning7.yml' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning7.yml:8:9:16:6 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref '2', not a pinned commit hash | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | Uses Step |
 | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Unpinned 3rd party Action 'Python CI' step $@ uses 'codecov/codecov-action' with ref '3', not a pinned commit hash | .github/workflows/auto_ci.yml:93:9:96:6 | Uses Step | Uses Step |