ci: fix template injection warnings#1810
Conversation
The template in delimiters ${{ ... }} is expanded before workflow
execution and can, in case of some events, lead to code injection by the
user that triggered the event [1][2].
Use an intermediate environment variable that is set to these values to
remediate for all instances flagged by zizmor.
[1] https://securitylab.github.com/resources/github-actions-untrusted-input/
[2] https://docs.zizmor.sh/audits/#template-injection
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
|
I thought I was adding reviewers. It seems I changed them instead :( |
anujm1
requested review from
koenkooi,
lumag,
ndechesne,
ricardosalveti,
sbanerjeeqc and
vkraleti
koenkooi
left a comment
koenkooi
left a comment
There was a problem hiding this comment.
Huge diff, but it looks good to me.
| id: pr_comment_prep | ||
| run: | | ||
| echo "## Test run [workflow](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})" > pr-comment.txt | ||
| echo "## Test jobs for commit ${{ github.event.workflow_run.head_sha }}" >> pr-comment.txt |
There was a problem hiding this comment.
can head_sha be considered unsecure? It's not mentioned in https://securitylab.github.com/resources/github-actions-untrusted-input/
There was a problem hiding this comment.
May be not with the way this is used here. But, I think there's no disadvantage to replacing it, if this works. We would otherwise need to evaluate and ignore the warning etc.
|
do we / can we have zizmor checker integrated in our CI/PR? |
I'm planning to propose it once we fix all the current warnings. I think we are down to 10 now from 100 something. |
mwasilew
left a comment
mwasilew
left a comment
There was a problem hiding this comment.
This looks OK. Let me run it through next just to be sure.
thank you, this is nice! |
Enable it now, let it fail? At least this way we will see all the failures. Also, there is meta-qcom-distro ;-) |
This should work: #1813 |
mwasilew
left a comment
mwasilew
left a comment
There was a problem hiding this comment.
All good in next branch:
https://github.com/qualcomm-linux/meta-qcom/actions/runs/23539197060
We can't verify the test-pr workflow, but I'm confident it will work OK.
7 participants
The template in delimiters ${{ ... }} is expanded before workflow execution and can, in case of some events, lead to code injection by the user that triggered the event [1][2].
Use an intermediate environment variable that is set to these values to remediate for all instances flagged by zizmor.
[1] https://securitylab.github.com/resources/github-actions-untrusted-input/
[2] https://docs.zizmor.sh/audits/#template-injection