Update and new tests

Alvaro Muñoz · Alvaro Muñoz · commit d2e9411e1293 · 2024-05-08T22:35:17.000+02:00
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml
@@ -4,6 +4,7 @@ on:
 
 jobs:
   pr-comment:
+    permissions: read-all
     runs-on: ubuntu-latest
     steps:
       - uses: xt0rted/pull-request-comment-branch@v2
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml
@@ -0,0 +1,12 @@
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  pr-comment:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo ${{ github.event.comment.body }}
+
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml
@@ -0,0 +1,24 @@
+on:
+  issue_comment:
+    types: [created]
+
+permissions: write-all
+
+jobs:
+  pr-comment:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+
+      - uses: actions/checkout@v3
+        if: success()
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_sha }}
+
+      - uses: actions/cache@v2
+        with:
+          path: ./poison
+          key: poison_key
+      - run: |
+          cat poison
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml
@@ -0,0 +1,21 @@
+on:
+  issue_comment:
+    types: [created]
+
+permissions:
+  issues: write
+jobs:
+  pr-comment:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+
+      - uses: actions/checkout@v3
+        if: success()
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_sha }}
+
+      - run: |
+          ./checkedout/poison
+
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml
@@ -2,6 +2,8 @@ name: Cache Poisoning
 
 on: pull_request_target
 
+permissions: read-all
+
 jobs:
   poison:
     runs-on: ubuntu-latest
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml
@@ -2,6 +2,8 @@ name: Cache Poisoning
 
 on: pull_request_target
 
+permissions: {}
+
 jobs:
   poison:
     runs-on: ubuntu-latest
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml
@@ -2,9 +2,13 @@ name: Cache Poisoning
 
 on: pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   poison:
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml
@@ -5,6 +5,8 @@ on: pull_request_target
 jobs:
   poison:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read  
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml
@@ -5,6 +5,7 @@ on: pull_request_target
 jobs:
   poison:
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml
@@ -5,6 +5,7 @@ on: pull_request_target
 jobs:
   poison:
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - uses: actions/checkout@v3
         with:
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml
@@ -5,15 +5,33 @@ on:
 jobs:
   pr-comment:
     runs-on: ubuntu-latest
+    permissions: read-all
     steps:
       - uses: xt0rted/pull-request-comment-branch@v2
         id: comment-branch
-
       - uses: actions/checkout@v3
-        if: success()
         with:
           ref: ${{ steps.comment-branch.outputs.head_sha }}
+      - run: ./checkedout/poison
 
-      - run: |
-          ./checkedout/poison
+  pr-comment2:
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_sha }}
+      - uses: ./.github/actions/node-npm-setup
 
+  pr-comment3:
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_sha }}
+      - run: node .github/actions-scripts/what-docs-early-access-branch.js
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml
@@ -4,8 +4,8 @@ on:
 
 jobs:
   pr-comment:
+    permissions: read-all
     runs-on: ubuntu-latest
-    permissions: {}
     steps:
       - run: |
           echo ${{ github.event.comment.body }}
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
@@ -1,6 +1,8 @@
-| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test1.yml:13:9:18:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Uses Step |
+| .github/workflows/test2.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Uses Step |
+| .github/workflows/test3.yml:11:9:14:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Uses Step |
+| .github/workflows/test6.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Uses Step |
+| .github/workflows/test7.yml:10:9:13:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Uses Step |
+| .github/workflows/test8.yml:12:9:15:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:15:9:17:2 | Run Step | Run Step |
+| .github/workflows/test8.yml:23:9:26:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Uses Step |
+| .github/workflows/test8.yml:34:9:37:6 | Uses Step | Untrusted checked-out code may lead to cache poisoning on step $@. | .github/workflows/test8.yml:37:9:37:75 | Run Step | Run Step |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected
@@ -1,6 +1,7 @@
 edges
 nodes
 | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
-| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutCritical.expected
@@ -1,3 +1,4 @@
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/level0.yml:99:9:103:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
diff --git a/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/PrivilegedUntrustedCheckoutHigh.expected
@@ -1,4 +1,3 @@
-j .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/issue_comment_3rd_party_action.yml:16:9:22:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/issue_comment_3rd_party_action.yml:30:9:36:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/issue_comment_3rd_party_action.yml:45:9:49:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
