gh view

JarLob · JarLob · commit 6d94168ad973 · 2025-01-21T17:15:41.000Z
diff --git a/actions/ql/lib/ext/config/untrusted_gh_command.yml b/actions/ql/lib/ext/config/untrusted_gh_command.yml
@@ -23,11 +23,13 @@ extensions:
       # ISSUES
       #
       # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,body)
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json "title,body")
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\btitle\\b", "title,oneline"]
       # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body)
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bbody\\b", "text,multiline"]
       # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')
-      - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\bcomments\\b", "text,multiline"]
       #
       # API
       #
diff --git a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml
@@ -121,6 +121,12 @@ jobs:
           TITLE=$(echo $TITLE | jq -r '.title')
           echo "title=$TITLE" >> "$GITHUB_OUTPUT"
       - run: echo "${{ steps.title2.outputs.title}}"
+      - id: title3
+        run: |
+          TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)
+          TITLE=$(echo $TITLE | jq -r '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title3.outputs.title}}"
 
 
 
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -207,6 +207,8 @@ edges
 | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | provenance |  |
 | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | provenance |  |
 | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | provenance |  |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | provenance |  |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
@@ -624,6 +626,9 @@ nodes
 | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | semmle.label | Run Step: title2 [title] |
 | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | semmle.label | steps.title2.outputs.title |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
@@ -828,6 +833,7 @@ subpaths
 | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:117:21:117:52 | steps.title1.outputs.title | ${{ steps.title1.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | ${{ steps.title2.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | ${{ steps.title3.outputs.title}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues |
 | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
 | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
diff --git a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -207,6 +207,8 @@ edges
 | .github/workflows/test19.yml:113:14:116:50 | DETAILS=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $DETAILS \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:112:9:117:6 | Run Step: title1 [title] | provenance |  |
 | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | provenance |  |
 | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | provenance |  |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | provenance |  |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
 | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
@@ -624,6 +626,9 @@ nodes
 | .github/workflows/test19.yml:118:9:123:6 | Run Step: title2 [title] | semmle.label | Run Step: title2 [title] |
 | .github/workflows/test19.yml:119:14:122:50 | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh pr view $PR_NUMBER --json "title,author,headRefName")\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:123:21:123:52 | steps.title2.outputs.title | semmle.label | steps.title2.outputs.title |
+| .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
+| .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
+| .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |

Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,13 @@ extensions:`
`23`	`23`	`# ISSUES`
`24`	`24`	`#`
`25`	`25`	`# TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')`
`26`		`- - ["gh\\s+issue\\b.\\bview\\b.\\.title.*", "title,oneline"]`
	`26`	`+ # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,body)`
	`27`	`+ # TITLE=$(gh issue view "$ISSUE_NUMBER" --json "title,body")`
	`28`	`+ - ["gh\\s+issue\\b.\\bview\\b.\\btitle\\b", "title,oneline"]`
`27`	`29`	`# BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body)`
`28`		`- - ["gh\\s+issue\\b.\\bview\\b.\\.body.*", "text,multiline"]`
	`30`	`+ - ["gh\\s+issue\\b.\\bview\\b.\\bbody\\b", "text,multiline"]`
`29`	`31`	`# COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')`
`30`		`- - ["gh\\s+issue\\b.\\bview\\b.\\.comments.*", "text,multiline"]`
	`32`	`+ - ["gh\\s+issue\\b.\\bview\\b.\\bcomments\\b", "text,multiline"]`
`31`	`33`	`#`
`32`	`34`	`# API`
`33`	`35`	`#`