Add more poisonable steps

Alvaro Muñoz · Alvaro Muñoz · commit ddf72a2cf3c0 · 2024-05-08T22:32:24.000+02:00
diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll
@@ -43,12 +43,19 @@ class LocalCommandExecutionRunStep extends PoisonableStep, Run {
       or
       // sh xxxx
       cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3)
+      or
+      // node xxxx
+      cmd = line.regexpCapture("(^|\\s+)(node|python|ruby|go)\\s+(.*)", 3)
     )
   }
 
   string getCommand() { result = cmd }
 }
 
+class LocalActionUsesStep extends PoisonableStep, UsesStep {
+  LocalActionUsesStep() { this.getCallee().matches("./%") }
+}
+
 class EnvVarInjectionRunStep extends PoisonableStep, Run {
   EnvVarInjectionRunStep() {
     exists(string value |

Original file line number	Diff line number	Diff line change
`@@ -43,12 +43,19 @@ class LocalCommandExecutionRunStep extends PoisonableStep, Run {`
`43`	`43`	`or`
`44`	`44`	`// sh xxxx`
`45`	`45`	`cmd = line.regexpCapture("(^\|\\s+)(ba\|z\|fi)?sh\\s+(.*)", 3)`
	`46`	`+ or`
	`47`	`+ // node xxxx`
	`48`	`+ cmd = line.regexpCapture("(^\|\\s+)(node\|python\|ruby\|go)\\s+(.*)", 3)`
`46`	`49`	`)`
`47`	`50`	`}`
`48`	`51`
`49`	`52`	`string getCommand() { result = cmd }`
`50`	`53`	`}`
`51`	`54`
	`55`	`+class LocalActionUsesStep extends PoisonableStep, UsesStep {`
	`56`	`+ LocalActionUsesStep() { this.getCallee().matches("./%") }`
	`57`	`+}`
	`58`	`+`
`52`	`59`	`class EnvVarInjectionRunStep extends PoisonableStep, Run {`
`53`	`60`	`EnvVarInjectionRunStep() {`
`54`	`61`	`exists(string value \|`