Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Also have zizmor check for low-severity security issues #14893

Merged
merged 1 commit into from
Dec 12, 2024
Merged

Also have zizmor check for low-severity security issues #14893

merged 1 commit into from
Dec 12, 2024

Conversation

AlexWaygood
Copy link
Member

Summary

This PR changes our zizmor configuration to also flag low-severity security issues in our GitHub Actions workflows. It's a followup to #14844. The issues being fixed here were all flagged by zizmor's template-injection rule:

Detects potential sources of code injection via template expansion.

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

[...]

To fully remediate the vulnerability, you should not use ${{ env.VARNAME }}, since that is still a template expansion. Instead, you should use ${VARNAME} to ensure that the shell itself performs the variable expansion.

Test Plan

I tested that this passes all zizmore warnings by running pre-commit run -a zizmor locally. The other test is obviously to check that the workflows all still run correctly in CI 😄

@AlexWaygood AlexWaygood added ci Related to internal CI tooling security Related to security vulnerabilities labels Dec 10, 2024
@AlexWaygood AlexWaygood marked this pull request as ready for review December 10, 2024 18:42
dhruvmanila
dhruvmanila approved these changes Dec 12, 2024
View reviewed changes
Copy link
Member

@dhruvmanila dhruvmanila left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

@AlexWaygood AlexWaygood merged commit 033ecf5 into astral-sh:main Dec 12, 2024
44 checks passed
@dhruvmanila dhruvmanila mentioned this pull request Dec 12, 2024
Merged
dylwil3 pushed a commit that referenced this pull request Dec 12, 2024
@dhruvmanila
Use double quotes consistently for shell scripts (#14938)
3629cbf 
## Summary

The release failed
(https://github.com/astral-sh/ruff/actions/runs/12298190472/job/34321509636)
because the shell script in the Docker release workflow was using single
quotes instead of double quotes.

This is related to https://www.shellcheck.net/wiki/SC2016. I found it
via [`actionlint`](https://github.com/rhysd/actionlint). Related #14893.

I also went ahead and fixed https://www.shellcheck.net/wiki/SC2086 which
were raised in a couple of places.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhruvmanila dhruvmanila dhruvmanila approved these changes

Assignees
No one assigned
Labels
ci Related to internal CI tooling security Related to security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlexWaygood @dhruvmanila