Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Also have zizmor check for low-severity security issues #14893

Merged
merged 1 commit into from
Dec 12, 2024

Conversation

AlexWaygood
Copy link
Member

Summary

This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to #14844. The issues being fixed here were all flagged by zizmor's template-injection rule:

Detects potential sources of code injection via template expansion.

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

[...]

To fully remediate the vulnerability, you should not use ${{ env.VARNAME }}, since that is still a template expansion. Instead, you should use ${VARNAME} to ensure that the shell itself performs the variable expansion.

Test Plan

I tested that this passes all zizmore warnings by running pre-commit run -a zizmor locally. The other test is obviously to check that the workflows all still run correctly in CI 😄

Copy link
Member

@dhruvmanila dhruvmanila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@AlexWaygood AlexWaygood merged commit 033ecf5 into astral-sh:main Dec 12, 2024
44 checks passed
dylwil3 pushed a commit that referenced this pull request Dec 12, 2024
## Summary

The release failed
(https://github.com/astral-sh/ruff/actions/runs/12298190472/job/34321509636)
because the shell script in the Docker release workflow was using single
quotes instead of double quotes.

This is related to https://www.shellcheck.net/wiki/SC2016. I found it
via [`actionlint`](https://github.com/rhysd/actionlint). Related #14893.

I also went ahead and fixed https://www.shellcheck.net/wiki/SC2086 which
were raised in a couple of places.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ci Related to internal CI tooling security Related to security vulnerabilities
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants