Skip to content

Also have zizmor check for low-severity security issues#14893

Merged
AlexWaygood merged 1 commit intoastral-sh:mainfrom
AlexWaygood:more-zizmor
Dec 12, 2024
Merged

Also have zizmor check for low-severity security issues#14893
AlexWaygood merged 1 commit intoastral-sh:mainfrom
AlexWaygood:more-zizmor

Conversation

@AlexWaygood
Copy link
Member

@AlexWaygood AlexWaygood commented Dec 10, 2024

Summary

This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to #14844. The issues being fixed here were all flagged by zizmor's template-injection rule:

Detects potential sources of code injection via template expansion.

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

[...]

To fully remediate the vulnerability, you should not use ${{ env.VARNAME }}, since that is still a template expansion. Instead, you should use ${VARNAME} to ensure that the shell itself performs the variable expansion.

Test Plan

I tested that this passes all zizmore warnings by running pre-commit run -a zizmor locally. The other test is obviously to check that the workflows all still run correctly in CI 😄

@AlexWaygood AlexWaygood added ci Related to internal CI tooling security Related to security vulnerabilities labels Dec 10, 2024
@AlexWaygood AlexWaygood marked this pull request as ready for review December 10, 2024 18:42
dhruvmanila
dhruvmanila approved these changes Dec 12, 2024
View reviewed changes
Copy link
Member

@dhruvmanila dhruvmanila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@AlexWaygood AlexWaygood merged commit 033ecf5 into astral-sh:main Dec 12, 2024
@dhruvmanila dhruvmanila mentioned this pull request Dec 12, 2024
Merged
dylwil3 pushed a commit that referenced this pull request Dec 12, 2024
@dhruvmanila
Use double quotes consistently for shell scripts (#14938)
3629cbf 
## Summary

The release failed
(https://github.com/astral-sh/ruff/actions/runs/12298190472/job/34321509636)
because the shell script in the Docker release workflow was using single
quotes instead of double quotes.

This is related to https://www.shellcheck.net/wiki/SC2016. I found it
via [`actionlint`](https://github.com/rhysd/actionlint). Related #14893.

I also went ahead and fixed https://www.shellcheck.net/wiki/SC2086 which
were raised in a couple of places.
@AlexWaygood AlexWaygood deleted the more-zizmor branch February 6, 2025 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhruvmanila dhruvmanila dhruvmanila approved these changes

Assignees

No one assigned

Labels

ci Related to internal CI tooling security Related to security vulnerabilities

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AlexWaygood @dhruvmanila