Minor improvemnts

Alvaro Muñoz · Alvaro Muñoz · commit a84c1c4706b4 · 2024-06-13T11:51:15.000+02:00
diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -20,12 +20,13 @@ class DownloadArtifactActionStep extends UntrustedArtifactDownloadStep, UsesStep
   DownloadArtifactActionStep() {
     this.getCallee() =
       [
-        "dawidd6/action-download-artifact", "marcofaggian/action-download-multiple-artifacts",
-        "benday-inc/download-latest-artifact", "blablacar/action-download-last-artifact",
-        "levonet/action-download-last-artifact", "bettermarks/action-artifact-download",
-        "aochmann/actions-download-artifact", "cytopia/download-artifact-retry-action",
-        "alextompkins/download-prior-artifact", "nmerget/download-gzip-artifact",
-        "benday-inc/download-artifact", "synergy-au/download-workflow-artifacts-action",
+        "actions/download-artifact", "dawidd6/action-download-artifact",
+        "marcofaggian/action-download-multiple-artifacts", "benday-inc/download-latest-artifact",
+        "blablacar/action-download-last-artifact", "levonet/action-download-last-artifact",
+        "bettermarks/action-artifact-download", "aochmann/actions-download-artifact",
+        "cytopia/download-artifact-retry-action", "alextompkins/download-prior-artifact",
+        "nmerget/download-gzip-artifact", "benday-inc/download-artifact",
+        "synergy-au/download-workflow-artifacts-action", "ishworkh/docker-image-artifact-download",
         "ishworkh/container-image-artifact-download", "sidx1024/action-download-artifact",
         "hyperskill/azblob-download-artifact", "ma-ve/action-download-artifact-with-retry"
       ] and
diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll
@@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep {
 private string dangerousCommands() {
   result =
     [
-      "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
+      "npm i(nstall)?(\\b|$)", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
       "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",
       "msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build",
-      "pytest", "pip install -r ", "pip install --requirement", "java -jar "
+      "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install",
+      "poetry run"
     ]
 }
 

Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,11 @@ class DangerousActionUsesStep extends PoisonableStep, UsesStep {`
`19`	`19`	`private string dangerousCommands() {`
`20`	`20`	`result =`
`21`	`21`	`[`
`22`		`- "npm install", "npm run ", "yarn ", "npm ci(\\b\|$)", "make ", "terraform plan",`
	`22`	`+ "npm i(nstall)?(\\b\|$)", "npm run ", "yarn ", "npm ci(\\b\|$)", "make ", "terraform plan",`
`23`	`23`	`"terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",`
`24`	`24`	`"msbuild ", "mvn ", "gradle ", "bundle install", "bundle exec ", "^ant ", "mkdocs build",`
`25`		`- "pytest", "pip install -r ", "pip install --requirement", "java -jar "`
	`25`	`+ "pytest", "pip install -r ", "pip install --requirement", "java -jar ", "poetry install",`
	`26`	`+ "poetry run"`
`26`	`27`	`]`
`27`	`28`	`}`
`28`	`29`