feat(bash): Add support for tee as a way to write to GITHUB special files

Author: Alvaro Muñoz

ql/lib/codeql/actions/Helper.qll

@@ -74,9 +74,10 @@ predicate extractVariableAndValue(string raw_content, string key, string value)
 bindingset[script]
 predicate singleLineFileWrite(string script, string cmd, string file, string content, string filters) {
   exists(string regexp |
-    regexp = "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>)\\s*(\\S+)" and
+    regexp =
+      "(?i)(echo|printf|write-output)\\s*(.*?)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)" and
     cmd = script.regexpCapture(regexp, 1) and
-    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    file = trimQuotes(script.regexpCapture(regexp, 5)) and
     filters = "" and
     content = script.regexpCapture(regexp, 2)
   )
@@ -100,18 +101,19 @@ predicate singleLineWorkflowCmd(string script, string cmd, string key, string va
 bindingset[script]
 predicate heredocFileWrite(string script, string cmd, string file, string content, string filters) {
   exists(string regexp |
-    regexp = "(?msi).*^(cat)\\s*(>>|>)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and
+    regexp =
+      "(?msi).*^(cat)\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*<<\\s*['\"]?(\\S+)['\"]?\\s*\n(.*?)\n\\4\\s*$.*" and
     cmd = script.regexpCapture(regexp, 1) and
-    file = trimQuotes(script.regexpCapture(regexp, 3)) and
-    content = script.regexpCapture(regexp, 5) and
+    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    content = script.regexpCapture(regexp, 6) and
     filters = ""
     or
     regexp =
-      "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and
+      "(?msi).*^(cat)\\s*(<<|<)\\s*[-]?['\"]?(\\S+)['\"]?\\s*([^>]*)(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+)\\s*\n(.*?)\n\\3\\s*$.*" and
     cmd = script.regexpCapture(regexp, 1) and
-    file = trimQuotes(script.regexpCapture(regexp, 6)) and
+    file = trimQuotes(script.regexpCapture(regexp, 7)) and
     filters = script.regexpCapture(regexp, 4) and
-    content = script.regexpCapture(regexp, 7)
+    content = script.regexpCapture(regexp, 8)
   )
 }
 
@@ -142,13 +144,13 @@ predicate blockFileWrite(string script, string cmd, string file, string content,
         //
         "(.*?)" +
         //
-        "(\\s*\\}\\s*(>>|>)\\s*(\\S+))\\s*$.*" and
+        "(\\s*\\}\\s*(>>|>|\\s*\\|\\s*tee\\s*(-a|--append)?)\\s*(\\S+))\\s*$.*" and
     content =
       script
           .regexpCapture(regexp, 1)
           .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*['\"](.*?)['\"]", "$2")
           .regexpReplaceAll("(?m)^\\s*(echo|printf|write-output)\\s*", "") and
-    file = trimQuotes(script.regexpCapture(regexp, 4)) and
+    file = trimQuotes(script.regexpCapture(regexp, 5)) and
     cmd = "echo" and
     filters = ""
   )

ql/test/library-tests/.github/workflows/multiline2.yml

@@ -0,0 +1,89 @@
+on: 
+  workflow_run:
+    workflows: ["Prev"]
+    types:
+      - completed
+
+jobs:
+  Test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo "changelog<<CHANGELOGEOF" | tee -a $GITHUB_OUTPUT
+          echo -e "$FILTERED_CHANGELOG" | tee -a $GITHUB_OUTPUT
+          echo "CHANGELOGEOF" | tee -a $GITHUB_OUTPUT
+      - run: |
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "status<<$EOF" | tee -a $GITHUB_OUTPUT
+          echo "$(cat status.output.json)" | tee -a $GITHUB_OUTPUT
+          echo "$EOF" | tee -a $GITHUB_OUTPUT
+      - run: |
+          echo "response<<$EOF" | tee -a $GITHUB_OUTPUT
+          echo $output | tee -a $GITHUB_OUTPUT
+          echo "$EOF" | tee -a $GITHUB_OUTPUT
+      - run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+            ls | grep -E "*.(tar.gz|zip)$"
+            echo EOF
+          } | tee -a "$GITHUB_ENV"
+      - run: |
+          cat <<-"EOF" > event.json
+            ${{ toJson(github.event) }}
+          EOF
+      - name: heredoc11
+        run: |
+          cat | tee -a $GITHUB_ENV << EOL
+          ${ISSUE_BODY}
+          FOO
+          EOL
+      - name: heredoc12
+        run: |
+          cat > issue.txt << EOL
+          ${ISSUE_BODY}
+          FOO
+          EOL
+      - name: heredoc21
+        run: |
+          cat << EOL | tee -a $GITHUB_ENV
+          ${ISSUE_BODY}
+          FOO
+          EOL
+      - name: heredoc22
+        run: |
+          cat <<EOF |  sed 's/l/e/g' > file.txt
+          Hello
+          World
+          EOF
+      - name: heredoc23
+        run: |
+          cat <<-EOF | tee -a "$GITHUB_ENV"
+          echo "FOO=$TITLE"
+          EOF
+      - name: line1
+        run: |
+          echo REPO_NAME=$(cat issue.txt | sed 's/\\r/\\n/g' | grep -ioE '\\s*[a-z0-9_-]+/[a-z0-9_-]+\\s*$' | tr -d ' ') | tee -a $GITHUB_ENV
+      - name: multiline1
+        run: |
+          echo "PR_TITLE<<EOF" | tee -a $GITHUB_ENV
+          echo "$TITLE" | tee -a $GITHUB_ENV
+          echo "EOF" | tee -a $GITHUB_ENV
+      - name: block11
+        run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+            echo "$TITLE"
+            echo EOF
+          } | tee -a "$GITHUB_ENV"
+      - name: block12
+        run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+            echo '$ISSUE'
+            echo 'EOF'
+          } | tee -a "$GITHUB_ENV"
+      - name: block13
+        run: |
+          {
+            echo 'JSON_RESPONSE<<EOF'
+          } | tee -a "$GITHUB_ENV"

ql/test/library-tests/poisonable_steps.expected

@@ -1,3 +1,5 @@
+| .github/workflows/multiline2.yml:24:9:30:6 | Run Step |
+| .github/workflows/multiline2.yml:63:9:66:6 | Run Step |
 | .github/workflows/multiline.yml:24:9:30:6 | Run Step |
 | .github/workflows/multiline.yml:63:9:66:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:8:9:13:6 | Uses Step |