JS: Add sources from actions/core

javascript/ql/lib/semmle/javascript/frameworks/ActionsLib.qll

@@ -33,6 +33,9 @@ private API::Node taintSource() {
   result = commitObj().getMember("message")
   or
   result = commitObj().getMember(["author", "committer"]).getMember(["name", "email"])
+  or
+  result =
+    API::moduleImport("@actions/core").getMember(["getInput", "getMultilineInput"]).getReturn()
 }
 
 private class GitHubActionsSource extends RemoteFlowSource {

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/CodeInjection.expected

@@ -16,6 +16,13 @@ nodes
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
@@ -195,6 +202,11 @@ edges
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |
@@ -311,6 +323,8 @@ edges
 | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | NoSQLCodeInjection.js:19:36:19:43 | req.body | NoSQLCodeInjection.js:19:24:19:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:19:36:19:43 | req.body | user-provided value |
 | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | NoSQLCodeInjection.js:22:36:22:43 | req.body | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name | This code execution depends on a $@. | NoSQLCodeInjection.js:22:36:22:43 | req.body | user-provided value |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message | This code execution depends on a $@. | actions.js:5:10:5:50 | github. ... message | user-provided value |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') | This code execution depends on a $@. | actions.js:6:10:6:33 | core.ge ... mbers') | user-provided value |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') | actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') | This code execution depends on a $@. | actions.js:7:10:7:42 | core.ge ... mbers') | user-provided value |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search | This code execution depends on a $@. | angularjs.js:10:22:10:36 | location.search | user-provided value |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search | This code execution depends on a $@. | angularjs.js:13:23:13:37 | location.search | user-provided value |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search | This code execution depends on a $@. | angularjs.js:16:28:16:42 | location.search | user-provided value |

javascript/ql/test/query-tests/Security/CWE-094/CodeInjection/HeuristicSourceCodeInjection.expected

@@ -16,6 +16,13 @@ nodes
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
 | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:10:22:10:36 | location.search |
@@ -199,6 +206,11 @@ edges
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | NoSQLCodeInjection.js:22:36:22:48 | req.body.name | NoSQLCodeInjection.js:22:24:22:48 | "name = ... dy.name |
 | actions.js:5:10:5:50 | github. ... message | actions.js:5:10:5:50 | github. ... message |
+| actions.js:6:10:6:33 | core.ge ... mbers') | actions.js:6:10:6:33 | core.ge ... mbers') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
+| actions.js:7:10:7:42 | core.ge ... mbers') | actions.js:7:10:7:53 | core.ge ... n('\\n') |
 | angularjs.js:10:22:10:36 | location.search | angularjs.js:10:22:10:36 | location.search |
 | angularjs.js:13:23:13:37 | location.search | angularjs.js:13:23:13:37 | location.search |
 | angularjs.js:16:28:16:42 | location.search | angularjs.js:16:28:16:42 | location.search |