Add new tests

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -86,8 +86,10 @@ predicate externallyDefinedStoreStep(
   )
 }
 
-predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) {
+predicate externallyDefinedSink(DataFlow::Node sink, string kind) {
   exists(Uses uses, string action, string version, string input |
+    sinkModel(action, version, input, kind) and
+    uses.getCallee() = action.toLowerCase() and
     (
       if input.trim().matches("env.%")
       then sink.asExpr() = uses.getInScopeEnvVarExpr(input.trim().replaceAll("env.", ""))
@@ -96,8 +98,6 @@ predicate externallyDefinedSink(DataFlow::ExprNode sink, string kind) {
         then sink.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", ""))
         else none()
     ) and
-    sinkModel(action, version, input, kind) and
-    uses.getCallee() = action.toLowerCase() and
     (
       if version.trim() = "*"
       then uses.getVersion() = any(string v)

ql/src/Security/CWE-078/CommandInjection.ql

@@ -13,6 +13,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

ql/src/Security/CWE-078/CriticalCommandInjection.ql

@@ -13,6 +13,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

ql/src/Security/CWE-094/CodeInjection.ql

@@ -15,6 +15,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

ql/src/Security/CWE-094/CriticalCodeInjection.ql

@@ -15,6 +15,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

ql/src/Security/CWE-918/RequestForgery.ql

@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow

ql/test/library-tests/test.expected

@@ -315,6 +315,9 @@ scopes
 sources
 | ahmadnassri/action-changed-files | * | output.files | pull_request_target | PR changed files |
 | ahmadnassri/action-changed-files | * | output.json | pull_request_target | PR changed files |
+| amannn/action-semantic-pull-request | * | output.error_message | pull_request_target | PR title |
+| cypress-io/github-action | * | env.GH_BRANCH | pull_request_target | PR branch |
+| dawidd6/action-download-artifact | * | output.artifacts | * | Artifact details |
 | dorny/paths-filter | * | output.changes | pull_request_target | PR changed files |
 | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | pull_request_target | PR body |
 | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | pull_request_target | PR title |

ql/test/query-tests/Security/CWE-078/.github/workflows/comment_issue.yml

@@ -0,0 +1,9 @@
+on: issue_comment
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ruby/setup-ruby@v2
+        with:
+          ruby-version: ${{ github.event.comment.body }}

ql/test/query-tests/Security/CWE-078/CommandInjection.expected

@@ -0,0 +1,6 @@
+edges
+nodes
+| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
+subpaths
+#select
+| .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} |

ql/test/query-tests/Security/CWE-078/CommandInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-078/CommandInjection.ql