From 5d1da861a246aee07514119742ee6a5f7625d4f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 23:21:41 +0200 Subject: [PATCH] fix: Use YamlScalar for booleans --- .../Security/CWE-312/ActionsArtifactLeak.ql | 2 +- .../CWE-312/.github/workflows/test.yml | 22 +++++++++++++++++++ .../CWE-312/ActionsArtifactLeak.expected | 9 ++++---- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql b/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql index 4ef5536f1d5e..0b869d5d2836 100644 --- a/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql +++ b/javascript/ql/src/Security/CWE-312/ActionsArtifactLeak.ql @@ -26,7 +26,7 @@ class ActionsCheckoutStep extends Actions::Step { /** * A `with:`/`persist-credentials` field sibling to `uses: actions/checkout`. */ -class ActionsCheckoutWithPersistCredentials extends YamlNode, YamlString { +class ActionsCheckoutWithPersistCredentials extends YamlNode, YamlScalar { ActionsCheckoutStep step; ActionsCheckoutWithPersistCredentials() { diff --git a/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml b/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml index 34a8c1497c26..473d59986957 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml +++ b/javascript/ql/test/query-tests/Security/CWE-312/.github/workflows/test.yml @@ -62,4 +62,26 @@ jobs: with: name: file path: foo + test7: # NOT VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . + test8: # VULNERABLE + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: true + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: . diff --git a/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected b/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected index eb2fccea26b2..575ddda89a48 100644 --- a/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected +++ b/javascript/ql/test/query-tests/Security/CWE-312/ActionsArtifactLeak.expected @@ -1,4 +1,5 @@ -| .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | actions/upload-artifact | -| .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | actions/upload-artifact | -| .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | actions/upload-artifact | -| .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | A secret is exposed in an artifact uploaded by $@ | .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | actions/upload-artifact | +| .github/workflows/test.yml:9:9:14:2 | name: " ... tifact" | A secret may be exposed in an artifact. | +| .github/workflows/test.yml:27:9:32:2 | name: " ... tifact" | A secret may be exposed in an artifact. | +| .github/workflows/test.yml:38:9:43:2 | name: " ... tifact" | A secret may be exposed in an artifact. | +| .github/workflows/test.yml:49:9:54:2 | name: " ... tifact" | A secret may be exposed in an artifact. | +| .github/workflows/test.yml:82:9:86:18 | name: " ... tifact" | A secret may be exposed in an artifact. |