Add new tests

Author: Alvaro Muñoz

ql/test/query-tests/Security/CWE-094/.github/actions/action5/action.yml

@@ -9,6 +9,9 @@ outputs:
   result:
     description: "result"
     value: ${{ steps.step.outputs.result }}
+  result2:
+    description: "result"
+    value: ${{ steps.step2.outputs.result2 }}
 runs:
   using: 'composite'
   steps:
@@ -20,6 +23,11 @@ runs:
         FOO: ${{ inputs.taint }}
       shell: bash
       run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
+    - id: step2
+      env:
+        FOO2: ${{ github.event.pull_request.body }}
+      shell: bash
+      run: echo "result2=$(echo $FOO2)" >> $GITHUB_OUTPUT
     - name: Sink
       id: sink
       shell: bash

ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml

@@ -0,0 +1,46 @@
+name: Clone repository
+description: Clone repository
+inputs:
+  title:
+    description: Title
+    required: true
+  forked-pr:
+    description: Whether the event is operating from a forked PR
+    required: true
+  fetch-depth:
+    description: Fetch depth for actions/checkout
+    default: "1"
+outputs:
+  result:
+    description: "result"
+    value: ${{ steps.out.outputs.replaced }}
+
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: echo "${{ inputs.title }}"
+    - uses: frabert/[email protected]
+      id: out 
+      with:
+        pattern: "\""
+        string:  ${{ inputs.title }}
+        replace-with: 'foo'
+        flags: g    
+    - id: out2  
+      env:
+        FOO: ${{ inputs.title }}
+      shell: bash
+      run: echo "result=$(echo $FOO)" >> $GITHUB_OUTPUT
+    - name: Clone branch
+      if: "!fromJSON(inputs.forked-pr)"
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: ${{ inputs.fetch-depth }}
+    - name: Clone forked PR
+      if: fromJSON(inputs.forked-pr)
+      uses: actions/checkout@v3
+      with:
+        ref: refs/pull/${{ github.event.number }}/merge
+        fetch-depth: ${{ inputs.fetch-depth }}
+

ql/test/query-tests/Security/CWE-094/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml

@@ -0,0 +1,95 @@
+name: changelog
+
+on:
+  workflow_call:
+    inputs:
+      taint:
+        description: taint
+        type: string
+        required: true
+        default: "" 
+
+jobs:
+  changelog:
+    runs-on: ubuntu-latest
+    env:
+      file: CHANGELOG.md
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Check ${{ env.file }}
+        run: |
+          if [[ $(git diff --name-only origin/master HEAD -- ${{ env.file }} | grep '^${{ env.file }}$' -c) -eq 0 ]]; then
+            echo "Expected '${{ env.file }}' to be modified"
+            exit 1
+          fi
+  update:
+    runs-on: ubuntu-latest
+    needs: changelog
+    continue-on-error: true
+    env:
+      file: CHANGELOG.md
+      next_version: next
+      link: '[#${{ github.event.number }}](https://github.com/fabricjs/fabric.js/pull/${{ github.event.number }})'
+    steps:
+      - run: echo "${{ inputs.taint }}"
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+      - name: Update ${{ env.file }} from PR title
+        id: update
+        uses: actions/github-script@v6
+        env:
+          log: '- ${{ github.event.pull_request.title }} ${{ env.link }}\n'
+          prev_log: '- ${{ github.event.changes.title.from }} ${{ env.link }}\n'
+        with:
+          result-encoding: string
+          script: |
+            const fs = require('fs');
+            const file = './${{ env.file }}';
+            let content = fs.readFileSync(file).toString();
+            const title = '[${{ env.next_version }}]';
+            const log = '${{ env.log }}';
+            let exists = ${{ needs.changelog.result == 'success' }};
+
+            if (!content.includes(title)) {
+            const insertAt = content.indexOf('\n') + 1;
+            content =
+                content.slice(0, insertAt) +
+                `\n## ${title}\n\n\n` +
+                content.slice(insertAt);
+            }
+
+            const insertAt = content.indexOf('\n', content.indexOf(title) + title.length + 1) + 1;
+            if (exists && ${{ github.event.action == 'edited' }}) {
+                const prevLog = '${{ env.prev_log }}';
+                const index = content.indexOf(prevLog, insertAt);
+                if (index > -1) {
+                    content = content.slice(0, index) + content.slice(index + prevLog.length);
+                    exists = false;
+                }
+            }
+
+            if (!exists) {
+                content = content.slice(0, insertAt) + log + content.slice(insertAt);
+                fs.writeFileSync(file, content);
+                return true;
+            }
+
+            return false;
+      - name: Setup node
+        if: fromJson(steps.update.outputs.result)
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18.x
+      - name: Commit & Push
+        if: fromJson(steps.update.outputs.result)
+        run: |
+          npm ci
+          npx prettier --write ${{ env.file }}
+          git config user.name github-actions[bot]
+          git config user.email github-actions[bot]@users.noreply.github.com
+          git add ${{ env.file }}
+          git commit -m "update ${{ env.file }}"
+          git push

ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-3.yml

@@ -11,4 +11,5 @@ jobs:
         with:
           taint: ${{ github.event.comment.body }}
       - run: echo "${{ steps.foo.outputs.result }}"
+      - run: echo "${{ steps.foo.outputs.result2 }}"
 

ql/test/query-tests/Security/CWE-094/.github/workflows/composite-action-caller-4.yml

@@ -0,0 +1,18 @@
+
+name: Issue Workflow
+on: 
+  pull_request_target:
+jobs: 
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone branch
+        id: clone
+        uses: TestOrg/TestRepo/.github/actions/clone-repo@main
+        with:
+          title: ${{ github.event.pull_request.title }}
+          forked-pr: true
+          fetch-depth: 2
+      - run: echo "${{ steps.clone.outputs.result }}"
+

ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-3.yml

@@ -0,0 +1,10 @@
+name: Caller
+
+on:
+  pull_request_target:
+
+jobs:
+  test:
+    uses: TestOrg/TestRepo/.github/workflows/reusable-workflow.yml@main
+    with:
+      taint: ${{ github.event.pull_request.title }}