CI: Fix potential template injection issues

zcash · Jan 9, 2025 · b3f6f95 · b3f6f95
1 parent df1aa4f
commit b3f6f95
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 19 deletions.
diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml
@@ -20,7 +20,10 @@ runs:
       shell: bash
       run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT
       if: inputs.test-dependencies == 'true'
-    - name: Prepare feature flags
+
+    # `steps.test.outputs.feature` cannot expand into attacker-controllable code
+    # because the previous step only enables it to have one of two fixed values.
+    - name: Prepare feature flags # zizmor: ignore[template-injection]
       id: prepare
       shell: bash
       run: >
@@ -34,6 +37,8 @@ runs:
         unstable
         unstable-serialization
         unstable-spanning-tree
-        ${{ inputs.extra-features }}
+        $EXTRA_FEATURES
         ${{ steps.test.outputs.feature }}
         '" >> $GITHUB_OUTPUT
+      env:
+        EXTRA_FEATURES: ${{ inputs.extra-features }}
diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml
@@ -18,7 +18,9 @@ jobs:
           persist-credentials: false
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "$TOOLCHAIN"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - run: cargo install cargo-vet --version ~0.10
       - run: cargo vet --locked
 
@@ -43,4 +45,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "$NEEDS" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}
diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml
@@ -16,15 +16,18 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@nightly
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "$TOOLCHAIN"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
 
       - name: Build latest rustdocs
         run: >
           cargo doc
           --no-deps
           --workspace
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
         env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
           RUSTDOCFLAGS: -Z unstable-options --enable-index-page --cfg docsrs
 
       - name: Move latest rustdocs into book

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,7 +54,9 @@ jobs:
         run: >
           cargo test
           --workspace
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean
         run: git diff --exit-code
 
@@ -113,7 +115,9 @@ jobs:
         run: >
           cargo test
           --workspace
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean
         run: git diff --exit-code
 
@@ -164,9 +168,11 @@ jobs:
         run: >
           cargo test
           --workspace
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
           --features expensive-tests
           -- --ignored
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean
         run: git diff --exit-code
 
@@ -221,7 +227,9 @@ jobs:
           --release
           --workspace
           --tests
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean
         run: git diff --exit-code
 
@@ -248,16 +256,20 @@ jobs:
           key: ${{ runner.os }}-cargo-latest
       - uses: dtolnay/rust-toolchain@stable
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "$TOOLCHAIN"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Remove lockfile to build with latest dependencies
         run: rm Cargo.lock
       - name: Build crates
         run: >
           cargo build
           --workspace
           --all-targets
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
           --verbose
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean (excluding lockfile)
         run: git diff --exit-code ':!Cargo.lock'
 
@@ -366,10 +378,12 @@ jobs:
           name: Clippy (MSRV)
           token: ${{ secrets.GITHUB_TOKEN }}
           args: >
-            ${{ steps.prepare.outputs.feature-flags }}
+            $FEATURE_FLAGS
             --all-targets
             --
             -D warnings
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
 
   clippy-beta:
     name: Clippy (beta)
@@ -383,18 +397,22 @@ jobs:
         uses: ./.github/actions/prepare
       - uses: dtolnay/rust-toolchain@beta
         id: toolchain
-      - run: rustup override set ${{steps.toolchain.outputs.name}}
+      - run: rustup override set "$TOOLCHAIN"
+        env:
+          TOOLCHAIN: ${{steps.toolchain.outputs.name}}
       - name: Run Clippy (beta)
         uses: actions-rs/clippy-check@v1
         continue-on-error: true
         with:
           name: Clippy (beta)
           token: ${{ secrets.GITHUB_TOKEN }}
           args: >
-            ${{ steps.prepare.outputs.feature-flags }}
+            $FEATURE_FLAGS
             --all-targets
             --
             -W clippy::all
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
 
   codecov:
     name: Code coverage
@@ -422,10 +440,12 @@ jobs:
         run: >
           cargo tarpaulin
           --engine llvm
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
           --release
           --timeout 600
           --out xml
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Upload coverage to Codecov
         uses: codecov/[email protected]
         with:
@@ -446,8 +466,10 @@ jobs:
         run: >
           cargo doc
           --all
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
           --document-private-items
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
 
   fmt:
     name: Rustfmt
@@ -479,7 +501,9 @@ jobs:
         run: >
           cargo check
           --workspace
-          ${{ steps.prepare.outputs.feature-flags }}
+          $FEATURE_FLAGS
+        env:
+          FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }}
       - name: Verify working directory is clean
         run: git diff --exit-code
 
@@ -535,4 +559,6 @@ jobs:
     steps:
       - name: Determine whether all required-pass steps succeeded
         run: |
-          echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all'
+          echo "$NEEDS" | jq -e '[ .[] | .result == "success" ] | all'
+        env:
+          NEEDS: ${{ toJSON(needs) }}