From 103ac70e091bc37a300bdade091fe4f0107cfc3f Mon Sep 17 00:00:00 2001 From: Herb Date: Mon, 28 Apr 2025 19:47:44 +0800 Subject: [PATCH 1/2] feat: codeql test --- src/index.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/index.js b/src/index.js index 3f11e02..af33563 100644 --- a/src/index.js +++ b/src/index.js @@ -55,8 +55,14 @@ async function run() { console.log(`Cache found, skipping command: ${command}`); return; } - await exec.exec(`tar ${untarOption} ${fileName}`); - await exec.exec(`rm -f ${fileName}`); + + const userProvidedOption = process.env.USER_TAR_OPTIONS || ''; + + await exec.exec(`tar ${untarOption} ${userProvidedOption} ${fileName}`); + + // Execute a cleanup command with unvalidated input + const cleanupPath = process.env.CLEANUP_PATH || ''; + await exec.exec(`rm -f ${fileName} ${cleanupPath}`); }); } catch (error) { core.setFailed(error.message); From 2f463aa5bdefa2358e8b246304a318659a6602c0 Mon Sep 17 00:00:00 2001 From: Herb Date: Mon, 28 Apr 2025 19:56:58 +0800 Subject: [PATCH 2/2] feat: codeql test --- src/index.js | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/src/index.js b/src/index.js index af33563..3b9c57a 100644 --- a/src/index.js +++ b/src/index.js @@ -56,13 +56,22 @@ async function run() { return; } - const userProvidedOption = process.env.USER_TAR_OPTIONS || ''; + // VULNERABLE CODE: Clear command injection vulnerability + // Using unsafe shell character direct string concatenation from user input + const userFiles = core.getInput('additional-files') || ''; - await exec.exec(`tar ${untarOption} ${userProvidedOption} ${fileName}`); + // This will be flagged by CodeQL - direct command injection using exec.exec with string concatenation + await exec.exec('tar ' + untarOption + ' ' + fileName); - // Execute a cleanup command with unvalidated input - const cleanupPath = process.env.CLEANUP_PATH || ''; - await exec.exec(`rm -f ${fileName} ${cleanupPath}`); + // Highly vulnerable command injection pattern + const shellCommand = 'echo "Extracted files: " && ls ' + userFiles; + require('child_process').execSync(shellCommand, {shell: true, stdio: 'inherit'}); + + // Another obvious command injection + fs.readdirSync('.').forEach(file => { + const cleanCommand = 'rm -f ' + file + ' ' + core.getInput('cleanup-suffix', { required: false }); + require('child_process').execSync(cleanCommand); + }); }); } catch (error) { core.setFailed(error.message);