Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security risk] zizmor output: sanitization step needed in sigstore step of our publish pypi build #244

Open
lwasser opened this issue Dec 19, 2024 · 0 comments
Open

[security risk] zizmor output: sanitization step needed in sigstore step of our publish pypi build #244

lwasser opened this issue Dec 19, 2024 · 0 comments

Comments

@lwasser
Copy link
Member

lwasser commented Dec 19, 2024

I ran zizmor on our pyosMeta publish-pypi build and found some issues. i think the biggest one is we can sanitize the branch name in our sigstore step!! 🚀 there are some other token related items that i'm not sure about.

luckily no one uses our package besides us but it can't hurt to clean things up!

➜ zizmor .github/workflows/publish-pypi.yml 
2024-12-19T03:38:13.605225Z  WARN zizmor: skipping impostor-commit: can't run without a GitHub API token
2024-12-19T03:38:13.605258Z  WARN zizmor: skipping ref-confusion: can't run without a GitHub API token
2024-12-19T03:38:13.605264Z  WARN zizmor: skipping known-vulnerable-actions: can't run without a GitHub API token
2024-12-19T03:38:13.607075Z  INFO audit: zizmor: 🌈 completed /Users/leahawasser/Documents/GitHub/pyos/pyosMeta/.github/workflows/publish-pypi.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> /Users/leahawasser/Documents/GitHub/pyos/pyosMeta/.github/workflows/publish-pypi.yml:18:9
   |
18 |         - name: Checkout
   |  _________-
19 | |         uses: actions/checkout@v4
...  |
24 | |
25 | |       # Need the tags so that setuptools-scm can form a valid version number
   | |____________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
   --> /Users/leahawasser/Documents/GitHub/pyos/pyosMeta/.github/workflows/publish-pypi.yml:97:7
    |
 97 |       - name: Upload artifact signatures to GitHub Release
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ this step
 98 |         env:
...
102 |         # sigstore-produced signatures and certificates.
103 | /       run: >-
104 | |         gh release upload
105 | |         '${{ github.ref_name }}' dist/**
106 | |         --repo '${{ github.repository }}'
    | |__________________________________________^ github.ref_name may expand into attacker-controllable code
    |
    = note: audit confidence → High

9 findings (7 suppressed): 0 unknown, 0 informational, 0 low, 1 medium, 1 high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lwasser