feat: Add trigger event to cache poisoning queries

Alvaro Muñoz · Alvaro Muñoz · commit 871193095a9e · 2024-10-29T19:04:02.000+01:00
diff --git a/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql b/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
@@ -67,4 +67,5 @@ where
   ) and
   not step instanceof PoisonableStep
 select step, source, step,
-  "Potential cache poisoning in the context of the default branch " + message
+  "Potential cache poisoning in the context of the default branch " + message + " ($@).", event,
+  event.getName()
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -13,6 +13,8 @@ edges
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | provenance |  |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | provenance |  |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:53:26:53:39 | env.log | provenance |  |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:45:24:45:61 | github.event.changes.title.from | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:66:34:66:52 | env.prev_log | provenance |  |
@@ -232,6 +234,10 @@ nodes
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:22:19:22:37 | inputs.title | semmle.label | inputs.title |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:23:7:30:4 | Uses Step: out [replaced] | semmle.label | Uses Step: out [replaced] |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:27:19:27:37 | inputs.title | semmle.label | inputs.title |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:59:7:74:4 | Run Step: git-commit [file-list] | semmle.label | Run Step: git-commit [file-list] |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:62:12:70:75 | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n | semmle.label | fileList=$(git diff-tree --no-commit-id --name-only HEAD -r)\necho "file-list<<EOF" >> $GITHUB_OUTPUT\necho "$fileList" >> $GITHUB_OUTPUT\necho "EOF" >> $GITHUB_OUTPUT\n\ngit push \\\n  "https://oauth2:${BOT_PA_TOKEN}@github.com/${{ github.event.workflow_run.head_repository.full_name }}.git" \\\n  'HEAD:refs/heads/${{ github.event.workflow_run.head_branch }}'\n |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:70:28:70:71 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/publishResults.yml:80:30:80:70 | steps.git-commit.outputs.file-list | semmle.label | steps.git-commit.outputs.file-list |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable-workflow.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected
@@ -44,9 +44,9 @@ edges
 | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step |
 | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step |
 #select
-| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
-| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
-| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
-| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
-| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
-| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
+| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache1.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache2.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache3.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache4.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache5.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:13:9:16:6 | Uses Step | .github/workflows/direct_cache6.yml:20:9:26:46 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. ($@). | .github/workflows/direct_cache6.yml:4:3:4:21 | pull_request_target | pull_request_target |
