Fix security warnings from zizmor #1115

danielrbradley · 2024-10-31T17:45:27Z

Experimenting with the new zizmor tool. There's still a number of false-positives so probably not yet worth integrating into our CI run, but have audited the current feedback.

Related to:

Add actions security scanning #1114

Only persist git credentials where we need to use them

Don't leave these around when we don't need to.
Explicitly set to true where we need them, with a comment highlighting why we're keeping them.
Fix a few places we weren't using the centrally managed checkout version.
Tweak the conditionals for submodules so the with: is always there now.

Use of fundamentally insecure workflow trigger - `pull_request_target`

These appear ok because we're just using this to comment on community PRs. These don't run builds

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> .github/workflows/community-moderation.yml:38:1
   |
38 | / on:
39 | |   pull_request_target:
...  |
42 | |     types:
43 | |     - opened
   | |_____________^ pull_request_target is almost always used insecurely
   |

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> .github/workflows/pull-request.yml:44:1
   |
44 | / on:
45 | |   pull_request_target: {}
   | |__________________________^ pull_request_target is almost always used insecurely
   |

Code injection via template expansion

.github/workflows/master.yml
  env.COVERAGE_OUTPUT_DIR may expand into attacker-controllable code

This is not inputtable by a third party user.

.github/workflows/prerequisites.yml
  inputs.default_branch may expand into attacker-controllable code

This is a workflow call (reusable workflow) and the input is always set as github.event.repository.default_branch.

.github/workflows/upgrade-provider.yml
  github.event.inputs.version may expand into attacker-controllable code
  steps.upstream_version.outputs.latest_version may expand into attacker-controllable code
  github.repository may expand into attacker-controllable code
  steps.target_version.outputs.version may expand into attacker-controllable code

This can only be triggered by internal users.

- Don't leave these around when we don't need to. - Explicitly set to true where we need them, with a comment highlighting why we're keeping them. - Fix a few places we weren't using the centrally managed checkout version. - Tweak the conditionals for submodules so the `with:` is always there now.

t0yv0 · 2024-11-01T14:23:51Z

Thank you for doing this! Awesome.

danielrbradley self-assigned this Oct 31, 2024

danielrbradley added 2 commits November 1, 2024 12:05

Add quoting to variable expansions

0ef0599

danielrbradley force-pushed the fix-security-warnings branch from a9c7f2f to 0ef0599 Compare November 1, 2024 12:06

danielrbradley marked this pull request as ready for review November 1, 2024 13:19

danielrbradley requested a review from a team November 1, 2024 13:19

iwahbe approved these changes Nov 1, 2024

View reviewed changes

danielrbradley mentioned this pull request Oct 31, 2024

Add actions security scanning #1114

Open

danielrbradley added this pull request to the merge queue Nov 1, 2024

Merged via the queue into master with commit f3712fc Nov 1, 2024
6 checks passed

danielrbradley deleted the fix-security-warnings branch November 1, 2024 16:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix security warnings from zizmor #1115

Fix security warnings from zizmor #1115

danielrbradley commented Oct 31, 2024 •

edited

Loading

t0yv0 commented Nov 1, 2024

Fix security warnings from zizmor #1115

Fix security warnings from zizmor #1115

Conversation

danielrbradley commented Oct 31, 2024 • edited Loading

Only persist git credentials where we need to use them

Use of fundamentally insecure workflow trigger - pull_request_target

Code injection via template expansion

t0yv0 commented Nov 1, 2024

danielrbradley commented Oct 31, 2024 •

edited

Loading

Use of fundamentally insecure workflow trigger - `pull_request_target`