Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Add queries
- v3.22.12
- v3.22.11
- v3
- v2.22.12
- v2.22.11
- v2.22.10
- v2.22.9
- v2.22.8
- v2.22.7
- v2.22.6
- v2.22.5
- v2.22.4
- v2.22.3
- v2.22.2
- v2.22.1
- v2.22.0
- v2.21.9
- v2.21.8
- v2.21.7
- v2.21.6
- v2.21.5
- v2.21.4
- v2.21.3
- v2.21.2
- v2.21.1
- v2.21.0
- v2.20.4
- v2.20.3
- v2.20.2
- v2.20.1
- v2.20.0
- v2.3.6
- v2.3.5
- v2.3.4
- v2.3.3
- v2.3.2
- v2.3.1
- v2.3.0
- v2.2.12
- v2.2.11
- v2.2.10
- v2.2.9
- v2.2.8
- v2.2.7
- v2.2.6
- v2.2.5
- v2.2.4
- v2.2.3
- v2.2.2
- v2.2.1
- v2.2.0
- v2.1.39
- v2.1.38
- v2.1.37
- v2.1.36
- v2.1.35
- v2.1.34
- v2.1.33
- v2.1.32
- v2.1.31
- v2.1.30
- v2.1.29
- v2.1.28
- v2.1.27
- v2.1.26
- v2.1.25
- v2.1.24
- v2.1.23
- v2.1.22
- v2.1.21
- v2.1.20
- v2.1.19
- v2.1.18
- v2.1.17
- v2.1.16
- v2.1.15
- v2.1.14
- v2.1.13
- v2.1.12
- v2.1.11
- v2.1.10
- v2.1.9
- v2.1.8
- v2.1.7
- v2.1.6
- v2
- v1.1.39
- v1.1.38
- v1.1.37
- v1.1.36
- v1.1.35
- v1.1.34
- v1.1.33
- v1.1.32
- v1.1.31
- v1.1.30
- v1.1.29
- v1.1.28
- v1.1.27
- v1.1.26
- v1.1.25
- v1.1.24
- v1.1.23
- v1.1.22
- v1.1.21
- v1.1.20
- v1.1.19
- v1.1.18
- v1.1.17
- v1.1.16
- v1.1.15
- v1.1.14
- v1.1.13
- v1.1.12
- v1.1.11
- v1.1.10
- v1.1.9
- v1.1.8
- v1.1.7
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0
- v1.0.32
- v1.0.31
- v1.0.30
- v1.0.29
- v1.0.28
- v1.0.27
- v1.0.26
- v1.0.25
- v1.0.24
- v1.0.23
- v1.0.22
- v1.0.21
- v1.0.20
- v1.0.19
- v1.0.18
- v1.0.17
- v1.0.16
- v1.0.15
- v1.0.14
- v1.0.13
- v1.0.12
- v1.0.11
- v1.0.10
- v1.0.9
- v1.0.8
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0
- v1
Robert Brignull
committed
Sep 15, 2020
1 parent
121fd33
commit d88fa5c
Showing
2 changed files
with
144 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| /** | ||
| * @name Inconsistent action input | ||
| * @description If multiple actions define an input with the same name, then the input | ||
| * must be defined in an identical way to avoid confusion for the user. | ||
| * This also makes writing queries like required-action-input.ql easier. | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @id javascript/codeql-action/inconsistent-action-input | ||
| */ | ||
|
|
||
| import javascript | ||
|
|
||
| /** | ||
| * A declaration of a github action. | ||
| */ | ||
| class ActionDeclaration extends File { | ||
| ActionDeclaration() { | ||
| getRelativePath().matches("%/action.yml") | ||
| } | ||
|
|
||
| /** | ||
| * The name of the action. | ||
| */ | ||
| string getName() { | ||
| result = getRelativePath().regexpCapture("(.*)/action.yml", 1) | ||
| } | ||
|
|
||
| YAMLDocument getRootNode() { | ||
| result.getFile() = this | ||
| } | ||
|
|
||
| YAMLValue getInput(string inputName) { | ||
| result = getRootNode().(YAMLMapping).lookup("inputs").(YAMLMapping).lookup(inputName) | ||
| } | ||
| } | ||
|
|
||
| predicate areNotEquivalent(YAMLValue x, YAMLValue y) { | ||
| x.getTag() != y.getTag() | ||
| or | ||
| x.(YAMLScalar).getValue() != y.(YAMLScalar).getValue() | ||
| or | ||
| x.getNumChild() != y.getNumChild() | ||
| or | ||
| exists(int i | areNotEquivalent(x.getChild(i), y.getChild(i))) | ||
| } | ||
|
|
||
| from ActionDeclaration actionA, ActionDeclaration actionB, string inputName | ||
| where actionA.getName() < actionB.getName() // prevent duplicates which are permutations of the names | ||
| and areNotEquivalent(actionA.getInput(inputName), actionB.getInput(inputName)) | ||
| select actionA, "Action $@ and action $@ both declare input $@, however their definitions are not identical. This may be confusing to users.", | ||
| actionA, actionA.getName(), actionB, actionB.getName(), inputName, inputName |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| /** | ||
| * @name Required action input | ||
| * @description For action inputs the core.input represents input with no value as the emptystring. | ||
| * This doesn't promote good type checking. Instead, use either actions-util.getOptionalInput or | ||
| * actions-util.getRequiredInput depending on if the input always has a value or not. The input | ||
| * will always have a value if it is required or has a default value. | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @id javascript/codeql-action/required-action-input | ||
| */ | ||
|
|
||
| import javascript | ||
|
|
||
| /** | ||
| * A declaration of a github action. | ||
| */ | ||
| class ActionDeclaration extends File { | ||
| ActionDeclaration() { | ||
| getRelativePath().matches("%/action.yml") | ||
| } | ||
|
|
||
| YAMLDocument getRootNode() { | ||
| result.getFile() = this | ||
| } | ||
|
|
||
| /** | ||
| * The name of any input to this action. | ||
| */ | ||
| string getAnInput() { | ||
| result = getRootNode().(YAMLMapping).lookup("inputs").(YAMLMapping).getKey(_).(YAMLString).getValue() | ||
| } | ||
|
|
||
| /** | ||
| * The given input always has a value, either because it is required, | ||
| * or because it has a default value. | ||
| */ | ||
| predicate inputAlwaysHasValue(string input) { | ||
| exists(YAMLMapping value | | ||
| value = getRootNode().(YAMLMapping).lookup("inputs").(YAMLMapping).lookup(input) and | ||
| (exists(value.lookup("default")) or | ||
| value.lookup("required").(YAMLBool).getBoolValue() = true)) | ||
| } | ||
|
|
||
| /** | ||
| * The function that is the entrypoint to this action. | ||
| */ | ||
| FunctionDeclStmt getEntrypoint() { | ||
| result.getFile().getRelativePath() = getRootNode(). | ||
| (YAMLMapping).lookup("runs"). | ||
| (YAMLMapping).lookup("main"). | ||
| (YAMLString).getValue().regexpReplaceAll("\\.\\./lib/(.*)\\.js", "src/$1.ts") and | ||
| result.getName() = "run" | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * An import from "@actions/core" | ||
| */ | ||
| class ActionsLibImport extends ImportDeclaration { | ||
| ActionsLibImport() { | ||
| getImportedPath().getValue() = "@actions/core" | ||
| } | ||
|
|
||
| Variable getAProvidedVariable() { | ||
| result = getASpecifier().getLocal().getVariable() | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * A call to the core.getInput method. | ||
| */ | ||
| class CoreGetInputMethodCallExpr extends MethodCallExpr { | ||
| CoreGetInputMethodCallExpr() { | ||
| getMethodName() = "getInput" and | ||
| exists(ActionsLibImport libImport | | ||
| this.getReceiver() = libImport.getAProvidedVariable().getAnAccess() or | ||
| this.getReceiver().(PropAccess).getBase() = libImport.getAProvidedVariable().getAnAccess()) | ||
| } | ||
|
|
||
| /** | ||
| * The name of the input being accessed. | ||
| */ | ||
| string getInputName() { | ||
| result = getArgument(0).(StringLiteral).getValue() | ||
| } | ||
| } | ||
|
|
||
| from ActionDeclaration action, CoreGetInputMethodCallExpr getInputCall, string inputName, string alternateFunction | ||
| where action.getAnInput() = inputName | ||
| and getInputCall.getInputName() = inputName | ||
| and ((action.inputAlwaysHasValue(inputName) and alternateFunction = "getRequiredInput") | ||
| or (not action.inputAlwaysHasValue(inputName) and alternateFunction = "geOptionalInput")) | ||
| select getInputCall, "This input may be undefined. Please use actions-util.$@ instead.", alternateFunction, alternateFunction |