From b3f6f956881718322e225129614a9a2a75ab2fc9 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 9 Jan 2025 16:38:43 +0000 Subject: [PATCH] CI: Fix potential template injection issues --- .github/actions/prepare/action.yml | 9 ++++-- .github/workflows/audits.yml | 8 +++-- .github/workflows/book.yml | 7 ++-- .github/workflows/ci.yml | 52 ++++++++++++++++++++++-------- 4 files changed, 57 insertions(+), 19 deletions(-) diff --git a/.github/actions/prepare/action.yml b/.github/actions/prepare/action.yml index 9ac597d495..2272c52081 100644 --- a/.github/actions/prepare/action.yml +++ b/.github/actions/prepare/action.yml @@ -20,7 +20,10 @@ runs: shell: bash run: echo "feature=test-dependencies" >> $GITHUB_OUTPUT if: inputs.test-dependencies == 'true' - - name: Prepare feature flags + + # `steps.test.outputs.feature` cannot expand into attacker-controllable code + # because the previous step only enables it to have one of two fixed values. + - name: Prepare feature flags # zizmor: ignore[template-injection] id: prepare shell: bash run: > @@ -34,6 +37,8 @@ runs: unstable unstable-serialization unstable-spanning-tree - ${{ inputs.extra-features }} + $EXTRA_FEATURES ${{ steps.test.outputs.feature }} '" >> $GITHUB_OUTPUT + env: + EXTRA_FEATURES: ${{ inputs.extra-features }} diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml index bdac55418f..d3a948dbb4 100644 --- a/.github/workflows/audits.yml +++ b/.github/workflows/audits.yml @@ -18,7 +18,9 @@ jobs: persist-credentials: false - uses: dtolnay/rust-toolchain@stable id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "$TOOLCHAIN" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - run: cargo install cargo-vet --version ~0.10 - run: cargo vet --locked @@ -43,4 +45,6 @@ jobs: steps: - name: Determine whether all required-pass steps succeeded run: | - echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all' + echo "$NEEDS" | jq -e '[ .[] | .result == "success" ] | all' + env: + NEEDS: ${{ toJSON(needs) }} diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 88bfede44b..a9091c4369 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -16,15 +16,18 @@ jobs: uses: ./.github/actions/prepare - uses: dtolnay/rust-toolchain@nightly id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "$TOOLCHAIN" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Build latest rustdocs run: > cargo doc --no-deps --workspace - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} RUSTDOCFLAGS: -Z unstable-options --enable-index-page --cfg docsrs - name: Move latest rustdocs into book diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85f125584e..fbbc03232a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -54,7 +54,9 @@ jobs: run: > cargo test --workspace - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean run: git diff --exit-code @@ -113,7 +115,9 @@ jobs: run: > cargo test --workspace - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean run: git diff --exit-code @@ -164,9 +168,11 @@ jobs: run: > cargo test --workspace - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --features expensive-tests -- --ignored + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean run: git diff --exit-code @@ -221,7 +227,9 @@ jobs: --release --workspace --tests - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean run: git diff --exit-code @@ -248,7 +256,9 @@ jobs: key: ${{ runner.os }}-cargo-latest - uses: dtolnay/rust-toolchain@stable id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "$TOOLCHAIN" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Remove lockfile to build with latest dependencies run: rm Cargo.lock - name: Build crates @@ -256,8 +266,10 @@ jobs: cargo build --workspace --all-targets - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --verbose + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean (excluding lockfile) run: git diff --exit-code ':!Cargo.lock' @@ -366,10 +378,12 @@ jobs: name: Clippy (MSRV) token: ${{ secrets.GITHUB_TOKEN }} args: > - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --all-targets -- -D warnings + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} clippy-beta: name: Clippy (beta) @@ -383,7 +397,9 @@ jobs: uses: ./.github/actions/prepare - uses: dtolnay/rust-toolchain@beta id: toolchain - - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: rustup override set "$TOOLCHAIN" + env: + TOOLCHAIN: ${{steps.toolchain.outputs.name}} - name: Run Clippy (beta) uses: actions-rs/clippy-check@v1 continue-on-error: true @@ -391,10 +407,12 @@ jobs: name: Clippy (beta) token: ${{ secrets.GITHUB_TOKEN }} args: > - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --all-targets -- -W clippy::all + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} codecov: name: Code coverage @@ -422,10 +440,12 @@ jobs: run: > cargo tarpaulin --engine llvm - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --release --timeout 600 --out xml + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Upload coverage to Codecov uses: codecov/codecov-action@v5.1.2 with: @@ -446,8 +466,10 @@ jobs: run: > cargo doc --all - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS --document-private-items + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} fmt: name: Rustfmt @@ -479,7 +501,9 @@ jobs: run: > cargo check --workspace - ${{ steps.prepare.outputs.feature-flags }} + $FEATURE_FLAGS + env: + FEATURE_FLAGS: ${{ steps.prepare.outputs.feature-flags }} - name: Verify working directory is clean run: git diff --exit-code @@ -535,4 +559,6 @@ jobs: steps: - name: Determine whether all required-pass steps succeeded run: | - echo '${{ toJSON(needs) }}' | jq -e '[ .[] | .result == "success" ] | all' + echo "$NEEDS" | jq -e '[ .[] | .result == "success" ] | all' + env: + NEEDS: ${{ toJSON(needs) }}