CI: Fix potential template injection issues

zcash · Jan 9, 2025 · 868ecd5 · 868ecd5
1 parent df1aa4f
commit 868ecd5
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 8 deletions.
diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
@@ -20,7 +20,10 @@ runs:
       shell: bash
       run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
       if: inputs.test-dependencies == 'true'
-    - name: Prepare feature flags
+
+    # `steps.test.outputs.feature` cannot expand into attacker-controllable code
+    # because the previous step only enables it to have one of two fixed values.
+    - name: Prepare feature flags # zizmor: ignore[template-injection]
       id: prepare
       shell: bash
       run: >
@@ -34,6 +37,8 @@ runs:
         unstable
         unstable-serialization
         unstable-spanning-tree
-        ${{ inputs.extra-features }}
+        ${EXTRA_FEATURES}
         ${{ steps.test.outputs.feature }}
         '" >> $GITHUB_OUTPUT
+      env:
+        EXTRA_FEATURES: ${{ inputs.extra-features }}
diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml
@@ -18,7 +18,9 @@ jobs:
           persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - run: cargo install cargo-vet --version ~0.10
       - run: cargo vet --locked
 
@@ -43,4 +45,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}
diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml
@@ -16,7 +16,9 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@nightly
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
 
       - name: Build latest rustdocs
         run: >

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -248,7 +248,9 @@ jobs:
           key: ${{ runner.os }}-cargo-latest
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Remove lockfile to build with latest dependencies
         run: rm Cargo.lock
       - name: Build crates
@@ -383,7 +385,9 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@beta
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "${TOOLCHAIN}"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Run Clippy (beta)
         uses: actions-rs/clippy-check@v1
         continue-on-error: true
@@ -535,4 +539,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}