diff --git a/actions/ql/lib/change-notes/2025-12-05-rename-steps-expression.md b/actions/ql/lib/change-notes/2025-12-05-rename-steps-expression.md new file mode 100644 index 000000000000..f25afad6b82d --- /dev/null +++ b/actions/ql/lib/change-notes/2025-12-05-rename-steps-expression.md @@ -0,0 +1,4 @@ +--- +category: deprecated +--- +* The class `StepsExpression` has been deprecated. Use the new class `StepOutputExpression` instead, which has the same functionality. diff --git a/actions/ql/lib/codeql/actions/Ast.qll b/actions/ql/lib/codeql/actions/Ast.qll index 6e76e4cd665a..9fc69f7bea9e 100644 --- a/actions/ql/lib/codeql/actions/Ast.qll +++ b/actions/ql/lib/codeql/actions/Ast.qll @@ -383,7 +383,12 @@ class GitHubExpression extends SimpleReferenceExpression instanceof GitHubExpres class SecretsExpression extends SimpleReferenceExpression instanceof SecretsExpressionImpl { } -class StepsExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { +/** + * DEPRECATED: Use `StepOutputExpression` instead. + */ +deprecated class StepsExpression = StepOutputExpression; + +class StepOutputExpression extends SimpleReferenceExpression instanceof StepsExpressionImpl { string getStepId() { result = super.getStepId() } } diff --git a/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll index 56e2c75123c0..9d8700f59def 100644 --- a/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll +++ b/actions/ql/lib/codeql/actions/dataflow/TaintSteps.qll @@ -37,7 +37,7 @@ predicate fileDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) { * A read of the _files field of the dorny/paths-filter action. */ predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof DornyPathsFilterSource and o.getStepId() = pred.asExpr().(UsesStep).getId() and o.getFieldName().matches("%_files") and @@ -49,7 +49,7 @@ predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) { * A read of user-controlled field of the tj-actions/changed-files action. */ predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof TJActionsChangedFilesSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and @@ -69,7 +69,7 @@ predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node suc * A read of user-controlled field of the tj-actions/verify-changed-files action. */ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof TJActionsVerifyChangedFilesSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and @@ -82,7 +82,7 @@ predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::No * A read of user-controlled field of the xt0rted/slash-command-action action. */ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof Xt0rtedSlashCommandSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and @@ -95,7 +95,7 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node * A read of user-controlled field of the zentered/issue-forms-body-parser action. */ predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof ZenteredIssueFormBodyParserSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and @@ -114,7 +114,7 @@ predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node * A read of user-controlled field of the octokit/request-action action. */ predicate octokitRequestActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(StepsExpression o | + exists(StepOutputExpression o | pred instanceof OctokitRequestActionSource and o.getTarget() = pred.asExpr() and o.getStepId() = pred.asExpr().(UsesStep).getId() and diff --git a/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index cf95292588c3..d2bc7a53cade 100644 --- a/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -150,7 +150,7 @@ newtype TContent = TFieldContent(string name) { // We only use field flow for env, steps and jobs outputs // not for accessing other context fields such as matrix or inputs - name = any(StepsExpression a).getFieldName() or + name = any(StepOutputExpression a).getFieldName() or name = any(NeedsExpression a).getFieldName() or name = any(JobsExpression a).getFieldName() or name = any(EnvExpression a).getFieldName() @@ -205,7 +205,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = * field name. */ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) { - exists(Uses astFrom, StepsExpression astTo | + exists(Uses astFrom, StepOutputExpression astTo | madSource(nodeFrom, _, "output." + ["*", astTo.getFieldName()]) and astFrom = nodeFrom.asExpr() and astTo = nodeTo.asExpr() and @@ -310,7 +310,7 @@ predicate ctxFieldReadStep(Node node1, Node node2, ContentSet c) { exists(SimpleReferenceExpression access | ( access instanceof NeedsExpression or - access instanceof StepsExpression or + access instanceof StepOutputExpression or access instanceof JobsExpression or access instanceof EnvExpression ) and diff --git a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll index 3d5b8852b850..82cc7ea412c3 100644 --- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll +++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll @@ -48,6 +48,22 @@ Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) { ) } +private predicate codeInjectionAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + exists(Uses step | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = step and + succ.asExpr() = step and + madSink(succ, "code-injection") + ) + or + exists(Run run | + pred instanceof FileSource and + pred.asExpr().(Step).getAFollowingStep() = run and + succ.asExpr() = run.getScript() and + exists(run.getScript().getAFileReadCommand()) + ) +} + /** * A taint-tracking configuration for unsafe user input * that is used to construct and evaluate a code script. @@ -58,19 +74,7 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { - exists(Uses step | - pred instanceof FileSource and - pred.asExpr().(Step).getAFollowingStep() = step and - succ.asExpr() = step and - madSink(succ, "code-injection") - ) - or - exists(Run run | - pred instanceof FileSource and - pred.asExpr().(Step).getAFollowingStep() = run and - succ.asExpr() = run.getScript() and - exists(run.getScript().getAFileReadCommand()) - ) + codeInjectionAdditionalFlowStep(pred, succ) } predicate observeDiffInformedIncrementalMode() { any() } @@ -87,6 +91,64 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig { /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ module CodeInjectionFlow = TaintTracking::Global; +private predicate knownSafeAction(string action) { + action = + [ + // Setup actions - version/cache outputs are deterministic + "actions/setup-java", + "actions/setup-python", + "actions/setup-node", + "actions/setup-go", + "actions/setup-dotnet", + "actions/cache", + "actions/download-artifact", + "actions/configure-pages", + "actions/attest-build-provenance", + "actions/create-github-app-token", + "oracle-actions/setup-java", + "spring-io/artifactory-deploy-action", + "YunaBraska/java-info-action", + // Docker actions - digest/version outputs are system-generated + "docker/build-push-action", + "docker/metadata-action", + "docker/setup-buildx-action", + // PR/repo automation - outputs are GitHub-assigned identifiers + "dorny/test-reporter", + "peter-evans/create-pull-request", + // AWS actions - outputs are AWS-generated identifiers + "aws-actions/aws-codebuild-run-build", + // Security/crypto actions - outputs are cryptographic, not user-controllable + "crazy-max/ghaction-import-gpg", + // Hardware/system info actions - outputs are deterministic + "SimonShi1994/cpu-cores" + ] +} + +/** + * A taint-tracking configuration for step outputs + * that are used to construct and evaluate a code script. + */ +private module CodeInjectionFromStepOutputConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + exists(StepOutputExpression soe, UsesStep us | + soe = source.asExpr() and soe.getStepId() = us.getId() + | + not knownSafeAction(us.getCallee()) + ) + } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } + + predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) { + codeInjectionAdditionalFlowStep(pred, succ) + } + + predicate observeDiffInformedIncrementalMode() { any() } +} + +/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */ +module CodeInjectionFromStepOutputFlow = TaintTracking::Global; + /** * Holds if there is a code injection flow from `source` to `sink` with * critical severity, linked by `event`. @@ -110,6 +172,16 @@ predicate mediumSeverityCodeInjection( not isGithubScriptUsingToJson(sink.getNode().asExpr()) } +/** + * Holds if there is a code injection flow from `source` to `sink` with low severity. + */ +predicate lowSeverityCodeInjection( + CodeInjectionFromStepOutputFlow::PathNode source, CodeInjectionFromStepOutputFlow::PathNode sink +) { + CodeInjectionFromStepOutputFlow::flowPath(source, sink) and + not isGithubScriptUsingToJson(sink.getNode().asExpr()) +} + /** * Holds if `expr` is the `script` input to `actions/github-script` and it uses * `toJson`. diff --git a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll index 9668fce2ae00..830c21b3af65 100644 --- a/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll +++ b/actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll @@ -33,7 +33,7 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig { ) or // 3rd party actions returning the PR head ref - exists(StepsExpression e, UsesStep step | + exists(StepOutputExpression e, UsesStep step | source.asExpr() = e and e.getStepId() = step.getId() and ( @@ -86,7 +86,7 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig { ) or // 3rd party actions returning the PR head sha - exists(StepsExpression e, UsesStep step | + exists(StepOutputExpression e, UsesStep step | source.asExpr() = e and e.getStepId() = step.getId() and ( @@ -243,7 +243,7 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt exists(string value, Expression expr | value.regexpMatch(".*(head|branch|ref).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value + expr.(StepOutputExpression).getStepId() = value or expr.(SimpleReferenceExpression).getFieldName() = value and not expr instanceof GitHubExpression @@ -278,7 +278,7 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep { exists(string value, Expression expr | value.regexpMatch(".*(head|sha|commit).*") and expr = this.getArgumentExpr("ref") | - expr.(StepsExpression).getStepId() = value + expr.(StepOutputExpression).getStepId() = value or expr.(SimpleReferenceExpression).getFieldName() = value and not expr instanceof GitHubExpression diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionLow.md b/actions/ql/src/Security/CWE-094/CodeInjectionLow.md new file mode 100644 index 000000000000..0862a5334866 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionLow.md @@ -0,0 +1,91 @@ +## Overview + +Using the output of a previous workflow step in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_ if the step output can be controlled by a malicious actor. This alert does not always indicate a vulnerability, as step outputs are often derived from trusted sources and cannot be controlled by an attacker. However, if the step output originates from user-controlled data (such as issue comments, pull request titles, or commit messages), it may be exploitable. + +If a step output is user-controlled, code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository. + +## Recommendation + +First, determine whether the step output can actually be controlled by an attacker. Trace the data flow from the step that sets the output to understand where the value originates. If the output is derived from trusted sources (such as hardcoded values, repository settings, or authenticated API responses), the risk is minimal. + +If the step output can be user-controlled, the best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_). + +It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN. + +## Example + +### Incorrect Usage + +The following example lets attackers inject an arbitrary shell command if output `message` of the step `get-message` is derived from user-controlled data: + +```yaml +jobs: + echo-message: + runs-on: ubuntu-latest + steps: + - id: get-message + run: | + # If this value comes from user input, it is vulnerable + echo "message=$USER_INPUT" >> $GITHUB_OUTPUT + - run: | + echo '${{ steps.get-message.outputs.message }}' +``` + +The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax: + +```yaml +jobs: + echo-message: + runs-on: ubuntu-latest + steps: + - id: get-message + run: | + echo "message=$USER_INPUT" >> $GITHUB_OUTPUT + - env: + MESSAGE: ${{ steps.get-message.outputs.message }} + run: | + echo '${{ env.MESSAGE }}' +``` + +### Correct Usage + +The following example uses shell syntax to read the environment variable and will prevent the attack: + +```yaml +jobs: + echo-message: + runs-on: ubuntu-latest + steps: + - id: get-message + run: | + echo "message=$USER_INPUT" >> $GITHUB_OUTPUT + - env: + MESSAGE: ${{ steps.get-message.outputs.message }} + run: | + echo "$MESSAGE" +``` + +The following example uses `process.env` to read environment variables within JavaScript code. + +```yaml +jobs: + echo-message: + runs-on: ubuntu-latest + steps: + - id: get-message + run: | + echo "message=$USER_INPUT" >> $GITHUB_OUTPUT + - uses: actions/github-script@v4 + env: + MESSAGE: ${{ steps.get-message.outputs.message }} + with: + script: | + const { MESSAGE } = process.env + ... +``` + +## References + +- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input). +- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions). +- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). diff --git a/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql b/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql new file mode 100644 index 000000000000..7c73396b8b29 --- /dev/null +++ b/actions/ql/src/Security/CWE-094/CodeInjectionLow.ql @@ -0,0 +1,26 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision low + * @id actions/code-injection/low + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.security.CodeInjectionQuery +import CodeInjectionFromStepOutputFlow::PathGraph + +from + CodeInjectionFromStepOutputFlow::PathNode source, CodeInjectionFromStepOutputFlow::PathNode sink +where lowSeverityCodeInjection(source, sink) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user because it comes from a step output.", + sink, sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/actions/ql/src/change-notes/2025-12-05-add-code-injection-low-query.md b/actions/ql/src/change-notes/2025-12-05-add-code-injection-low-query.md new file mode 100644 index 000000000000..74b996009c60 --- /dev/null +++ b/actions/ql/src/change-notes/2025-12-05-add-code-injection-low-query.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Add a new query `actions/code-injection/low` to detect potential code injection vulnerabilities in GitHub Actions workflows where data flows from a step output to a code injection sink. diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected new file mode 100644 index 000000000000..eee343239d25 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected @@ -0,0 +1,253 @@ +edges +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | provenance | | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | provenance | | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | provenance | | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | provenance | | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | provenance | | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | provenance | | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | provenance | | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | provenance | | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | provenance | | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | provenance | | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | provenance | | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance | | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | provenance | | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | provenance | | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | provenance | | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | provenance | | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [matrix] | .github/workflows/test10.yml:568:49:568:81 | needs.setup.outputs.matrix | provenance | | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | .github/workflows/test10.yml:181:17:181:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | provenance | | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | .github/workflows/test10.yml:203:128:203:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | provenance | | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | .github/workflows/test10.yml:274:17:274:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | provenance | | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | .github/workflows/test10.yml:298:128:298:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | provenance | | +| .github/workflows/test10.yml:41:16:41:53 | steps.set-matrix.outputs.matrix | .github/workflows/test10.yml:41:7:43:4 | Job outputs node [matrix] | provenance | | +| .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | provenance | | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance | | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance | | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | provenance | | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | provenance | | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | provenance | | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | provenance | | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | provenance | | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | provenance | | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | provenance | | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | provenance | | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | provenance | | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | provenance | | +nodes +| .github/actions/action5/action.yml:9:3:14:46 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | semmle.label | steps.step.outputs.result | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:14:3:16:45 | output Job outputs node [result] | semmle.label | output Job outputs node [result] | +| .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | semmle.label | steps.out.outputs.replaced | +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | semmle.label | steps.artifact.outputs.content | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id | +| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files | +| .github/workflows/changed-files.yml:29:24:29:76 | steps.changed-files2.outputs.all_changed_files | semmle.label | steps.changed-files2.outputs.all_changed_files | +| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files | +| .github/workflows/changed-files.yml:49:24:49:76 | steps.changed-files4.outputs.all_changed_files | semmle.label | steps.changed-files4.outputs.all_changed_files | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | semmle.label | steps.changed-files5.outputs.all_changed_files | +| .github/workflows/composite-action-caller-3.yml:9:9:13:6 | Uses Step: foo [result] | semmle.label | Uses Step: foo [result] | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | semmle.label | steps.foo.outputs.result | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | semmle.label | steps.foo.outputs.result2 | +| .github/workflows/composite-action-caller-4.yml:10:9:17:6 | Uses Step: clone [result] | semmle.label | Uses Step: clone [result] | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | semmle.label | steps.clone.outputs.result | +| .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | semmle.label | env.pr_message | +| .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced | +| .github/workflows/cross3.yml:68:11:68:38 | env.ISSUE_BODY_PARSED | semmle.label | env.ISSUE_BODY_PARSED | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:47:27:47:66 | steps.search-patch.outputs.result | semmle.label | steps.search-patch.outputs.result | +| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | semmle.label | needs.job1.outputs.job_output | +| .github/workflows/json_wrap.yml:32:33:32:65 | steps.search.outputs.issue | semmle.label | steps.search.outputs.issue | +| .github/workflows/json_wrap.yml:58:39:58:69 | steps.create.outputs.issue | semmle.label | steps.create.outputs.issue | +| .github/workflows/no-flow2.yml:32:24:32:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | semmle.label | steps.summary.outputs.value | +| .github/workflows/simple1.yml:19:18:19:47 | steps.summary.outputs.foo | semmle.label | steps.summary.outputs.foo | +| .github/workflows/simple2.yml:18:9:26:6 | Uses Step: step [value] | semmle.label | Uses Step: step [value] | +| .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | semmle.label | steps.source.outputs.all_changed_files | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | semmle.label | steps.step.outputs.value | +| .github/workflows/simple2.yml:36:24:36:74 | steps.source.outputs.all_changed_files_count | semmle.label | steps.source.outputs.all_changed_files_count | +| .github/workflows/slash_command1.yml:19:21:19:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | semmle.label | steps.command.outputs.command-arguments | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files | +| .github/workflows/test2.yml:28:25:28:60 | steps.changed.outputs.changes | semmle.label | steps.changed.outputs.changes | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files | +| .github/workflows/test2.yml:40:25:40:61 | steps.changed2.outputs.changes | semmle.label | steps.changed2.outputs.changes | +| .github/workflows/test2.yml:51:25:51:66 | steps.changed3.outputs.locale_files | semmle.label | steps.changed3.outputs.locale_files | +| .github/workflows/test2.yml:52:25:52:61 | steps.changed3.outputs.changes | semmle.label | steps.changed3.outputs.changes | +| .github/workflows/test2.yml:63:25:63:66 | steps.changed4.outputs.locale_files | semmle.label | steps.changed4.outputs.locale_files | +| .github/workflows/test2.yml:64:25:64:61 | steps.changed4.outputs.changes | semmle.label | steps.changed4.outputs.changes | +| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref | +| .github/workflows/test9.yml:10:7:11:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] | +| .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | semmle.label | fromJson(needs.parse-issue.outputs.payload) | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | semmle.label | fromJson(needs.parse-issue.outputs.payload).version | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [matrix] | semmle.label | Job outputs node [matrix] | +| .github/workflows/test10.yml:41:7:43:4 | Job outputs node [test_map] | semmle.label | Job outputs node [test_map] | +| .github/workflows/test10.yml:41:16:41:53 | steps.set-matrix.outputs.matrix | semmle.label | steps.set-matrix.outputs.matrix | +| .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | semmle.label | steps.set-matrix.outputs.test_map | +| .github/workflows/test10.yml:181:17:181:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | semmle.label | fromJson(needs.setup.outputs.test_map)[matrix.folders] | +| .github/workflows/test10.yml:203:128:203:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | semmle.label | fromJson(needs.setup.outputs.test_map)[matrix.folders] | +| .github/workflows/test10.yml:274:17:274:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | semmle.label | fromJson(needs.setup.outputs.test_map)[matrix.folders] | +| .github/workflows/test10.yml:298:128:298:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | semmle.label | fromJson(needs.setup.outputs.test_map)[matrix.folders] | +| .github/workflows/test10.yml:568:49:568:81 | needs.setup.outputs.matrix | semmle.label | needs.setup.outputs.matrix | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | semmle.label | steps.get-pr.outputs.data | +| .github/workflows/test17.yml:41:29:41:88 | fromJson(steps.get-pr-details.outputs.data).mergeable | semmle.label | fromJson(steps.get-pr-details.outputs.data).mergeable | +| .github/workflows/test17.yml:44:30:44:88 | fromJson(steps.get-pr-details.outputs.data).base.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).base.ref | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | semmle.label | fromJson(steps.get-pr-details.outputs.data).head.ref | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | semmle.label | fromJson(steps.get-pull-request.outputs.data).title | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | semmle.label | steps.issues.outputs.data | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) | +| .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | +| .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 | +| .github/workflows/test.yml:23:9:27:6 | Run Step: step1 [MSG] | semmle.label | Run Step: step1 [MSG] | +| .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | semmle.label | steps.step0.outputs.value | +| .github/workflows/test.yml:27:9:31:6 | Run Step: step2 [MSG2] | semmle.label | Run Step: step2 [MSG2] | +| .github/workflows/test.yml:29:19:29:46 | steps.step1.outputs.MSG | semmle.label | steps.step1.outputs.MSG | +| .github/workflows/test.yml:31:9:35:6 | Run Step: step3 [MSG3] | semmle.label | Run Step: step3 [MSG3] | +| .github/workflows/test.yml:33:20:33:48 | steps.step2.outputs.MSG2 | semmle.label | steps.step2.outputs.MSG2 | +| .github/workflows/test.yml:35:9:39:6 | Run Step: step4 [MSG4] | semmle.label | Run Step: step4 [MSG4] | +| .github/workflows/test.yml:37:20:37:48 | steps.step3.outputs.MSG3 | semmle.label | steps.step3.outputs.MSG3 | +| .github/workflows/test.yml:39:9:44:2 | Run Step: step5 [MSG5] | semmle.label | Run Step: step5 [MSG5] | +| .github/workflows/test.yml:41:20:41:48 | steps.step4.outputs.MSG4 | semmle.label | steps.step4.outputs.MSG4 | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | semmle.label | needs.job1.outputs['job_output'] | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | semmle.label | steps.artifact.outputs.pr_number | +subpaths +#select +| .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | +| .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} | +| .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | +| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} | +| .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | +| .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning7.yml:30:20:30:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | +| .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} | +| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:29:24:29:76 | steps.changed-files2.outputs.all_changed_files | .github/workflows/changed-files.yml:29:24:29:76 | steps.changed-files2.outputs.all_changed_files | .github/workflows/changed-files.yml:29:24:29:76 | steps.changed-files2.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/changed-files.yml:29:24:29:76 | steps.changed-files2.outputs.all_changed_files | ${{ steps.changed-files2.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:49:24:49:76 | steps.changed-files4.outputs.all_changed_files | .github/workflows/changed-files.yml:49:24:49:76 | steps.changed-files4.outputs.all_changed_files | .github/workflows/changed-files.yml:49:24:49:76 | steps.changed-files4.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/changed-files.yml:49:24:49:76 | steps.changed-files4.outputs.all_changed_files | ${{ steps.changed-files4.outputs.all_changed_files }} | +| .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/actions/action5/action.yml:11:13:11:44 | steps.step.outputs.result | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | +| .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/composite-action-caller-3.yml:13:21:13:51 | steps.foo.outputs.result | ${{ steps.foo.outputs.result }} | +| .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/composite-action-caller-3.yml:14:21:14:52 | steps.foo.outputs.result2 | ${{ steps.foo.outputs.result2 }} | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/actions/external/TestOrg/TestRepo/.github/actions/clone-repo/action.yaml:16:13:16:45 | steps.out.outputs.replaced | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | +| .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/composite-action-caller-4.yml:17:21:17:53 | steps.clone.outputs.result | ${{ steps.clone.outputs.result }} | +| .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/cross3.yml:42:86:42:113 | env.ISSUE_BODY_PARSED | ${{ env.ISSUE_BODY_PARSED }} | +| .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/cross3.yml:53:89:53:107 | env.pr_message | ${{env.pr_message}} | +| .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:47:27:47:66 | steps.search-patch.outputs.result | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:47:27:47:66 | steps.search-patch.outputs.result | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:47:27:47:66 | steps.search-patch.outputs.result | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/external/TestOrg/TestRepo/.github/workflows/publishResults.yml:47:27:47:66 | steps.search-patch.outputs.result | ${{ steps.search-patch.outputs.result }} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job0.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job0.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | .github/workflows/inter-job1.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job1.yml:43:20:43:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:15:20:15:50 | steps.step.outputs.value | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:30:20:30:64 | steps.source.outputs.all_changed_files | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} | +| .github/workflows/json_wrap.yml:32:33:32:65 | steps.search.outputs.issue | .github/workflows/json_wrap.yml:32:33:32:65 | steps.search.outputs.issue | .github/workflows/json_wrap.yml:32:33:32:65 | steps.search.outputs.issue | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/json_wrap.yml:32:33:32:65 | steps.search.outputs.issue | ${{ steps.search.outputs.issue }} | +| .github/workflows/json_wrap.yml:58:39:58:69 | steps.create.outputs.issue | .github/workflows/json_wrap.yml:58:39:58:69 | steps.create.outputs.issue | .github/workflows/json_wrap.yml:58:39:58:69 | steps.create.outputs.issue | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/json_wrap.yml:58:39:58:69 | steps.create.outputs.issue | ${{steps.create.outputs.issue}} | +| .github/workflows/no-flow2.yml:32:24:32:54 | steps.step.outputs.value | .github/workflows/no-flow2.yml:32:24:32:54 | steps.step.outputs.value | .github/workflows/no-flow2.yml:32:24:32:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/no-flow2.yml:32:24:32:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | +| .github/workflows/simple1.yml:19:18:19:47 | steps.summary.outputs.foo | .github/workflows/simple1.yml:19:18:19:47 | steps.summary.outputs.foo | .github/workflows/simple1.yml:19:18:19:47 | steps.summary.outputs.foo | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/simple1.yml:19:18:19:47 | steps.summary.outputs.foo | ${{steps.summary.outputs.foo}} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | +| .github/workflows/simple2.yml:36:24:36:74 | steps.source.outputs.all_changed_files_count | .github/workflows/simple2.yml:36:24:36:74 | steps.source.outputs.all_changed_files_count | .github/workflows/simple2.yml:36:24:36:74 | steps.source.outputs.all_changed_files_count | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/simple2.yml:36:24:36:74 | steps.source.outputs.all_changed_files_count | ${{ steps.source.outputs.all_changed_files_count }} | +| .github/workflows/slash_command1.yml:19:21:19:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command1.yml:19:21:19:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command1.yml:19:21:19:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/slash_command1.yml:19:21:19:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | +| .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/slash_command2.yml:20:21:20:66 | steps.command.outputs.command-arguments | ${{ steps.command.outputs.command-arguments }} | +| .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} | +| .github/workflows/test2.yml:28:25:28:60 | steps.changed.outputs.changes | .github/workflows/test2.yml:28:25:28:60 | steps.changed.outputs.changes | .github/workflows/test2.yml:28:25:28:60 | steps.changed.outputs.changes | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:28:25:28:60 | steps.changed.outputs.changes | ${{ steps.changed.outputs.changes }} | +| .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} | +| .github/workflows/test2.yml:40:25:40:61 | steps.changed2.outputs.changes | .github/workflows/test2.yml:40:25:40:61 | steps.changed2.outputs.changes | .github/workflows/test2.yml:40:25:40:61 | steps.changed2.outputs.changes | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:40:25:40:61 | steps.changed2.outputs.changes | ${{ steps.changed2.outputs.changes }} | +| .github/workflows/test2.yml:51:25:51:66 | steps.changed3.outputs.locale_files | .github/workflows/test2.yml:51:25:51:66 | steps.changed3.outputs.locale_files | .github/workflows/test2.yml:51:25:51:66 | steps.changed3.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:51:25:51:66 | steps.changed3.outputs.locale_files | ${{ steps.changed3.outputs.locale_files }} | +| .github/workflows/test2.yml:52:25:52:61 | steps.changed3.outputs.changes | .github/workflows/test2.yml:52:25:52:61 | steps.changed3.outputs.changes | .github/workflows/test2.yml:52:25:52:61 | steps.changed3.outputs.changes | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:52:25:52:61 | steps.changed3.outputs.changes | ${{ steps.changed3.outputs.changes }} | +| .github/workflows/test2.yml:63:25:63:66 | steps.changed4.outputs.locale_files | .github/workflows/test2.yml:63:25:63:66 | steps.changed4.outputs.locale_files | .github/workflows/test2.yml:63:25:63:66 | steps.changed4.outputs.locale_files | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:63:25:63:66 | steps.changed4.outputs.locale_files | ${{ steps.changed4.outputs.locale_files }} | +| .github/workflows/test2.yml:64:25:64:61 | steps.changed4.outputs.changes | .github/workflows/test2.yml:64:25:64:61 | steps.changed4.outputs.changes | .github/workflows/test2.yml:64:25:64:61 | steps.changed4.outputs.changes | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test2.yml:64:25:64:61 | steps.changed4.outputs.changes | ${{ steps.changed4.outputs.changes }} | +| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} | +| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} | +| .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test9.yml:20:20:20:73 | steps.issue_body_parser_request.outputs.payload | ${{ steps.issue_body_parser_request.outputs.payload }} | +| .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test9.yml:25:18:25:57 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} | +| .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test9.yml:26:18:26:67 | fromJson(needs.parse-issue.outputs.payload) | ${{ fromJson(needs.parse-issue.outputs.payload) }} | +| .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test9.yml:27:18:27:75 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | .github/workflows/test9.yml:10:17:10:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test9.yml:31:42:31:99 | fromJson(needs.parse-issue.outputs.payload).version | ${{ fromJson(needs.parse-issue.outputs.payload).version }} | +| .github/workflows/test10.yml:181:17:181:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | .github/workflows/test10.yml:181:17:181:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test10.yml:181:17:181:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} | +| .github/workflows/test10.yml:203:128:203:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | .github/workflows/test10.yml:203:128:203:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test10.yml:203:128:203:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} | +| .github/workflows/test10.yml:274:17:274:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | .github/workflows/test10.yml:274:17:274:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test10.yml:274:17:274:77 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} | +| .github/workflows/test10.yml:298:128:298:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | .github/workflows/test10.yml:42:18:42:57 | steps.set-matrix.outputs.test_map | .github/workflows/test10.yml:298:128:298:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test10.yml:298:128:298:188 | fromJson(needs.setup.outputs.test_map)[matrix.folders] | ${{ fromJson(needs.setup.outputs.test_map)[matrix.folders] }} | +| .github/workflows/test10.yml:568:49:568:81 | needs.setup.outputs.matrix | .github/workflows/test10.yml:41:16:41:53 | steps.set-matrix.outputs.matrix | .github/workflows/test10.yml:568:49:568:81 | needs.setup.outputs.matrix | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test10.yml:568:49:568:81 | needs.setup.outputs.matrix | ${{ needs.setup.outputs.matrix }} | +| .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:25:41:25:72 | steps.get-pr.outputs.data | ${{ steps.get-pr.outputs.data }} | +| .github/workflows/test17.yml:41:29:41:88 | fromJson(steps.get-pr-details.outputs.data).mergeable | .github/workflows/test17.yml:41:29:41:88 | fromJson(steps.get-pr-details.outputs.data).mergeable | .github/workflows/test17.yml:41:29:41:88 | fromJson(steps.get-pr-details.outputs.data).mergeable | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:41:29:41:88 | fromJson(steps.get-pr-details.outputs.data).mergeable | ${{ fromJson(steps.get-pr-details.outputs.data).mergeable }} | +| .github/workflows/test17.yml:44:30:44:88 | fromJson(steps.get-pr-details.outputs.data).base.ref | .github/workflows/test17.yml:44:30:44:88 | fromJson(steps.get-pr-details.outputs.data).base.ref | .github/workflows/test17.yml:44:30:44:88 | fromJson(steps.get-pr-details.outputs.data).base.ref | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:44:30:44:88 | fromJson(steps.get-pr-details.outputs.data).base.ref | ${{ fromJson(steps.get-pr-details.outputs.data).base.ref }} | +| .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:45:30:45:88 | fromJson(steps.get-pr-details.outputs.data).head.ref | ${{ fromJson(steps.get-pr-details.outputs.data).head.ref }} | +| .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:56:22:56:53 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test17.yml:69:13:71:55 | fromJson(steps.get-pull-request.outputs.data).title | ${{ fromJson(steps.get-pull-request.outputs.data).title }} | +| .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test18.yml:18:18:18:49 | steps.issues.outputs.data | ${{ steps.issues.outputs.data }} | +| .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | +| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | +| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | +| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | +| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | +| .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | +| .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user because it comes from a step output. | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref new file mode 100644 index 000000000000..e0f202ee24c3 --- /dev/null +++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.qlref @@ -0,0 +1 @@ +Security/CWE-094/CodeInjectionLow.ql