Merge pull request #18540 from JarLob/bash

asgerf · web-flow · commit 16634e6dc9fe · 2025-01-28T09:49:58.000+01:00
Actions: Improve bash support
diff --git a/actions/ql/lib/change-notes/2025-01-20-bash.md b/actions/ql/lib/change-notes/2025-01-20-bash.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
diff --git a/actions/ql/lib/codeql/actions/Bash.qll b/actions/ql/lib/codeql/actions/Bash.qll
@@ -695,6 +695,19 @@ module Bash {
       not varMatchesRegexTest(script, var2, alphaNumericRegex())
     )
     or
+    exists(string var2, string value2, string var3, string value3 |
+      // VAR2=$(cmd)
+      // VAR3=$VAR2
+      // echo "FIELD=${VAR3:-default}" >> $GITHUB_ENV (field, file_write_value)
+      containsCmdSubstitution(value2, cmd) and
+      script.getAnAssignment(var2, value2) and
+      containsParameterExpansion(value3, var2, _, _) and
+      script.getAnAssignment(var3, value3) and
+      containsParameterExpansion(expr, var3, _, _) and
+      not varMatchesRegexTest(script, var2, alphaNumericRegex()) and
+      not varMatchesRegexTest(script, var3, alphaNumericRegex())
+    )
+    or
     // var reaches the file write directly
     // echo "FIELD=$(cmd)" >> $GITHUB_ENV (field, file_write_value)
     containsCmdSubstitution(expr, cmd)
diff --git a/actions/ql/lib/ext/config/untrusted_gh_command.yml b/actions/ql/lib/ext/config/untrusted_gh_command.yml
@@ -7,26 +7,29 @@ extensions:
       # PULL REQUESTS
       #
       # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bheadRefName\\b", "branch,oneline"]
       # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # TITLE=$(gh pr view $PR_NUMBER --json "title")
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\btitle\\b", "title,oneline"]
       # BODY=$(gh pr view $PR_NUMBER --json body --jq .body)
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bbody\\b", "text,multiline"]
       # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bcomments\\b", "text,multiline"]
       # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bfiles\\b", "filename,multiline"]
       # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') 
-      - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"]
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\bauthor\\b", "username,oneline"]
       #
       # ISSUES
       #
       # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,body)
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json "title,body")
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\btitle\\b", "title,oneline"]
       # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body)
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bbody\\b", "text,multiline"]
       # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bcomments\\b", "text,multiline"]
       #
       # API
       #
diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml
@@ -106,7 +106,27 @@ jobs:
           COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
           echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
       - run: echo "${{ steps.comments.outputs.comments}}"
-
+  pulls3:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title1
+        run: |
+          DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")
+          TITLE=$(echo $DETAILS | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title1.outputs.title}}"
+      - id: title2
+        run: |
+          TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")
+          TITLE=$(echo $TITLE | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title2.outputs.title}}"
+      - id: title3
+        run: |
+          TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)
+          TITLE=$(echo $TITLE | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title3.outputs.title}}"
 
 
 
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.