Add vAPI customizations pack and bundle create workflow

rvermeulen · rvermeulen · commit 5e100cd82be5 · 2022-06-27T14:38:30.000+02:00
diff --git a/.github/workflows/bundle.yaml b/.github/workflows/bundle.yaml
@@ -0,0 +1,27 @@
+name: Create Bundle
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    name: Build and release bundle
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: CodeQL bundle
+        id: codeql-bundle
+        uses: advanced-security/codeql-bundle-action@v1
+        with:
+          packs: "advanced-security-demo/vapi-customizations"
+      - name: Bundle release
+        env:
+          BUNDLE_PATH: ${{ steps.codeql-bundle.outputs.bundle-path }}
+          BUNDLE_TAG: ${{ steps.codeql-bundle.outputs.bundle-tag }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          if gh release view $BUNDLE_TAG; then
+            gh release upload --clobber $BUNDLE_TAG $BUNDLE_PATH
+          else
+            gh release create $BUNDLE_TAG $BUNDLE_PATH --generate-notes
+          fi
diff --git a/vapi-customizations/advanced_security_demo/vapi_customizations/Customizations.qll b/vapi-customizations/advanced_security_demo/vapi_customizations/Customizations.qll
@@ -0,0 +1,17 @@
+import python
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.RemoteFlowSources
+
+API::Node request() { result = API::moduleImport("connexion").getMember("request") }
+
+private class ConnexionRequestSource extends RemoteFlowSource::Range {
+  ConnexionRequestSource() {
+    this = request().getAUse() and
+    not any(Import imp).contains(this.asExpr()) and
+    not exists(ControlFlowNode def | this.asVar().getSourceVariable().hasDefiningNode(def) |
+      any(Import imp).contains(def.getNode())
+    )
+  }
+
+  override string getSourceType() { result = "connexion.request" }
+}
diff --git a/vapi-customizations/codeql-pack.lock.yml b/vapi-customizations/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/python-all:
+    version: 0.4.1
+compiled: false
+lockVersion: 1.0.0
diff --git a/vapi-customizations/qlpack.yml b/vapi-customizations/qlpack.yml
@@ -0,0 +1,7 @@
+---
+library: true
+name: advanced-security-demo/vapi-customizations
+version: 0.0.1
+dependencies:
+  codeql/python-all: 0.4.1
+extractor: python
