Actions: Report both workflow_call and workflow_dispatch code injection

Treat workflow_call and workflow_dispatch inputs independently for
code-injection severity classification so mixed-trigger workflows can
produce both low and medium alerts.

Add a regression test for workflows that define both triggers and update
the corresponding expected results.

Author: tspascoal

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -109,6 +109,13 @@ private predicate isWorkflowCallInput(DataFlow::Node source) {
   )
 }
 
+/**
+ * Holds if the source is an input expression that can be supplied via workflow_dispatch.
+ */
+private predicate isWorkflowDispatchInput(DataFlow::Node source) {
+  source instanceof WorkflowDispatchInputSource
+}
+
 /**
  * Holds if there is a code injection flow from `source` to `sink` with medium severity.
  */
@@ -117,7 +124,7 @@ predicate mediumSeverityCodeInjection(
 ) {
   CodeInjectionFlow::flowPath(source, sink) and
   not criticalSeverityCodeInjection(source, sink, _) and
-  not isWorkflowCallInput(source.getNode()) and
+  not (isWorkflowCallInput(source.getNode()) and not isWorkflowDispatchInput(source.getNode())) and
   not isGithubScriptUsingToJson(sink.getNode().asExpr())
 }
 

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_call_and_dispatch.yml

@@ -0,0 +1,44 @@
+name: Code Injection via workflow_call and workflow_dispatch
+
+on:
+  workflow_dispatch:
+    inputs:
+      title:
+        description: "Title for the issue"
+        required: true
+        type: string
+      body:
+        description: "Body with no explicit type (defaults to string)"
+        required: false
+  workflow_call:
+    inputs:
+      title:
+        description: "Title for the issue"
+        required: true
+        type: string
+      body:
+        description: "Body with explicit string type"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: vulnerable title input
+        run: |
+          echo "${{ inputs.title }}"
+
+      - name: vulnerable body input
+        run: |
+          echo "${{ inputs.body }}"
+
+      - name: safe input via env
+        run: |
+          echo "$title"
+        env:
+          title: ${{ inputs.title }}

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionLow.expected

@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
@@ -706,3 +708,5 @@ subpaths
 #select
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | Potential code injection in $@, which may be controlled by a calling workflow. | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | ${{ inputs.body }} |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -685,6 +685,8 @@ nodes
 | .github/workflows/workflow_call.yml:30:18:30:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_call.yml:35:18:35:36 | inputs.count | semmle.label | inputs.count |
 | .github/workflows/workflow_call.yml:40:18:40:35 | inputs.flag | semmle.label | inputs.flag |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | semmle.label | inputs.title |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | semmle.label | inputs.title |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | semmle.label | inputs.body |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | semmle.label | github.event.workflow_run.display_title |
@@ -759,6 +761,8 @@ subpaths
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
+| .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_call_and_dispatch.yml:34:18:34:36 | inputs.title | ${{ inputs.title }} |
+| .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_call_and_dispatch.yml:38:18:38:35 | inputs.body | ${{ inputs.body }} |
 | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:36:18:36:36 | inputs.title | ${{ inputs.title }} |
 | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_dispatch.yml:41:18:41:35 | inputs.body | ${{ inputs.body }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |