From 868ecd5976b934438d2c37947fd4b0829c8d64fa Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 9 Jan 2025 16:38:43 +0000 Subject: [PATCH] CI: Fix potential template injection issues --- .github/actions/prepare/action.yml | 9 +++++++-- .github/workflows/audits.yml | 8 ++++++-- .github/workflows/book.yml | 4 +++- .github/workflows/ci.yml | 12 +++++++++--- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml index 9ac597d495..e519084323 100644 --- a/.github/actions/prepare/action.yml +++ b/.github/actions/prepare/action.yml @@ -20,7 +20,10 @@ runs: shell: bash run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT if: inputs.test-dependencies == 'true' - - name: Prepare feature flags + + # `steps.test.outputs.feature` cannot expand into attacker-controllable code + # because the previous step only enables it to have one of two fixed values. + - name: Prepare feature flags # zizmor: ignore[template-injection] id: prepare shell: bash run: > @@ -34,6 +37,8 @@ runs: unstable unstable-serialization unstable-spanning-tree - ${{ inputs.extra-features }} + ${EXTRA_FEATURES} ${{ steps.test.outputs.feature }} '" >> $GITHUB_OUTPUT + env: + EXTRA_FEATURES: ${{ inputs.extra-features }} diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml index bdac55418f..ebcca15331 100644 --- a/.github/workflows/audits.yml +++ b/.github/workflows/audits.yml @@ -18,7 +18,9 @@ jobs: persist-credentials: false - uses: dtolnay/rust-toolchain@stable id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "${TOOLCHAIN}" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - run: cargo install cargo-vet --version ~0.10 - run: cargo vet --locked @@ -43,4 +45,6 @@ jobs: steps: - name: Determine whether all required-pass steps succeeded run: | - echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all' + echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all' + env: + NEEDS: ${{ toJSON(needs) }} diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 88bfede44b..1fbcbf27a9 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -16,7 +16,9 @@ jobs: uses: ./.github/actions/prepare - uses: dtolnay/rust-toolchain@nightly id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "${TOOLCHAIN}" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Build latest rustdocs run: > diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85f125584e..0492842c21 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -248,7 +248,9 @@ jobs: key: ${{ runner.os }}-cargo-latest - uses: dtolnay/rust-toolchain@stable id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "${TOOLCHAIN}" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Remove lockfile to build with latest dependencies run: rm Cargo.lock - name: Build crates @@ -383,7 +385,9 @@ jobs: uses: ./.github/actions/prepare - uses: dtolnay/rust-toolchain@beta id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "${TOOLCHAIN}" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Run Clippy (beta) uses: actions-rs/clippy-check@v1 continue-on-error: true @@ -535,4 +539,6 @@ jobs: steps: - name: Determine whether all required-pass steps succeeded run: | - echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all' + echo "${NEEDS}" | jq -e '[ .[] | .result == "success" ] | all' + env: + NEEDS: ${{ toJSON(needs) }}