PyPI - zizmor - Versions diffs - 0.9.1__tar.gz → 0.9.2__tar.gz - Mend

zizmor 0.9.1tar.gz → 0.9.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of zizmor might be problematic. Click here for more details.

Files changed (109) hide show

{zizmor-0.9.1 → zizmor-0.9.2}/Cargo.lock RENAMED Viewed

@@ -2594,7 +2594,7 @@ dependencies = [
 [[package]]
 name = "zizmor"
-version = "0.9.1"
+version = "0.9.2"
 dependencies = [
  "annotate-snippets",
  "anstream",

{zizmor-0.9.1 → zizmor-0.9.2}/Cargo.toml RENAMED Viewed

@@ -1,7 +1,7 @@
 [package]
 name = "zizmor"
 description = "Static analysis for GitHub Actions"
-version = "0.9.1"
+version = "0.9.2"
 edition = "2021"
 repository = "https://github.com/woodruffw/zizmor"
 homepage = "https://github.com/woodruffw/zizmor"

{zizmor-0.9.1 → zizmor-0.9.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: zizmor
-Version: 0.9.1
+Version: 0.9.2
 Summary: Static analysis for GitHub Actions
 Keywords: cli,github-actions,static-analysis,security
 Home-Page: https://github.com/woodruffw/zizmor

{zizmor-0.9.1 → zizmor-0.9.2}/docs/installation.md RENAMED Viewed

@@ -8,7 +8,7 @@ description: Installation instructions for zizmor.
 `zizmor` is available within several packaging ecosystems.
-=== "crates.io"
+=== ":simple-rust: crates.io"
     You can install `zizmor` from <https://crates.io> with `cargo`:
@@ -16,7 +16,7 @@ description: Installation instructions for zizmor.
     cargo install zizmor
     ```
-=== "Homebrew"
+=== ":simple-homebrew: Homebrew"
     `zizmor` is provided by [Homebrew](https://brew.sh/):
@@ -24,7 +24,7 @@ description: Installation instructions for zizmor.
     brew install zizmor
     ```
-=== "PyPI"
+=== ":simple-pypi: PyPI"
     !!! tip
@@ -49,7 +49,23 @@ description: Installation instructions for zizmor.
     uvx zizmor --help
     ```
-=== "Nix"
+=== ":simple-anaconda: Conda"
+    !!! note
+        This is a community-maintained package.
+    `zizmor` is available on Anaconda's conda-forge:
+    ```bash
+    conda install conda-forge::zizmor
+    ```
+    See [conda-forge/zizmor](https://anaconda.org/conda-forge/zizmor)
+    for additional information.
+=== ":material-nix: Nix"
     !!! note

{zizmor-0.9.1 → zizmor-0.9.2}/docs/snippets/trophies.md RENAMED Viewed

@@ -17,6 +17,12 @@
     Homebrew/brew#18662
+-   ![](https://github.com/NLnetLabs.png?size=40){ width="40" loading=lazy align=left } NLnetLabs/unbound
+    ---
+    NLnetLabs/unbound#1204
 -   ![](https://github.com/NetApp.png?size=40){ width="40" loading=lazy align=left } NetApp/harvest
     ---
@@ -47,12 +53,24 @@
     astropy/astropy#17315
+-   ![](https://github.com/cakephp.png?size=40){ width="40" loading=lazy align=left } cakephp/cakephp
+    ---
+    cakephp/cakephp#18081
 -   ![](https://github.com/danmar.png?size=40){ width="40" loading=lazy align=left } danmar/cppcheck
     ---
     danmar/cppcheck#7044
+-   ![](https://github.com/ethereum.png?size=40){ width="40" loading=lazy align=left } ethereum/hevm
+    ---
+    ethereum/hevm#615
 -   ![](https://github.com/hugovk.png?size=40){ width="40" loading=lazy align=left } hugovk/em-keyboard
     ---
@@ -131,6 +149,18 @@
     matplotlib/matplotlib#29251
+-   ![](https://github.com/mne-tools.png?size=40){ width="40" loading=lazy align=left } mne-tools/mne-python
+    ---
+    mne-tools/mne-python#13011
+-   ![](https://github.com/oxc-project.png?size=40){ width="40" loading=lazy align=left } oxc-project/oxc
+    ---
+    oxc-project/oxc#7844
 -   ![](https://github.com/praetorian-inc.png?size=40){ width="40" loading=lazy align=left } praetorian-inc/noseyparker
     ---
@@ -185,6 +215,36 @@
     python-pillow/Pillow#8526
+-   ![](https://github.com/python-poetry.png?size=40){ width="40" loading=lazy align=left } python-poetry/cleo
+    ---
+    python-poetry/cleo#462
+-   ![](https://github.com/python-poetry.png?size=40){ width="40" loading=lazy align=left } python-poetry/poetry-core
+    ---
+    python-poetry/poetry-core#799
+-   ![](https://github.com/python-poetry.png?size=40){ width="40" loading=lazy align=left } python-poetry/poetry-plugin-bundle
+    ---
+    python-poetry/poetry-plugin-bundle#125
+-   ![](https://github.com/python-poetry.png?size=40){ width="40" loading=lazy align=left } python-poetry/poetry-plugin-export
+    ---
+    python-poetry/poetry-plugin-export#308
+-   ![](https://github.com/python-telegram-bot.png?size=40){ width="40" loading=lazy align=left } python-telegram-bot/python-telegram-bot
+    ---
+    python-telegram-bot/python-telegram-bot#4606
 -   ![](https://github.com/python.png?size=40){ width="40" loading=lazy align=left } python/cpython
     ---

{zizmor-0.9.1 → zizmor-0.9.2}/docs/snippets/trophies.txt RENAMED Viewed

@@ -6,9 +6,11 @@
 adafruit/circuitpython#9785
 astral-sh/ruff#14844
 astropy/astropy#17315
+cakephp/cakephp#18081
 danmar/cppcheck#7044
 DataDog/datadog-agent#30871
 Diaoul/subliminal#1190
+ethereum/hevm#615
 Homebrew/brew#18662
 hugovk/em-keyboard#148
 hugovk/norwegianblue#233
@@ -23,7 +25,10 @@ hynek/stamina#81
 hynek/structlog#663
 matplotlib/matplotlib#29251
 marcusvolz/strava_py#53
+mne-tools/mne-python#13011
 NetApp/harvest#3247
+NLnetLabs/unbound#1204
+oxc-project/oxc#7844
 praetorian-inc/noseyparker#228
 prettytable/prettytable#339
 pyca/service-identity#75
@@ -35,6 +40,11 @@ python-attrs/attrs#1368
 python-attrs/cattrs#605
 python-humanize/humanize#221
 python-pillow/Pillow#8526
+python-poetry/cleo#462
+python-poetry/poetry-core#799
+python-poetry/poetry-plugin-export#308
+python-poetry/poetry-plugin-bundle#125
+python-telegram-bot/python-telegram-bot#4606
 PyO3/pyo3#4774
 rust-lang/crates.io#10176
 rustls/rustls#2261

{zizmor-0.9.1 → zizmor-0.9.2}/mkdocs.yml RENAMED Viewed

@@ -69,7 +69,9 @@ markdown_extensions:
       provider: github
       user: woodruffw
       repo: zizmor
-  - pymdownx.emoji
+  - pymdownx.emoji:
+      emoji_index: !!python/name:material.extensions.emoji.twemoji
+      emoji_generator: !!python/name:material.extensions.emoji.to_svg
   - admonition
   - pymdownx.details
   - pymdownx.superfences

{zizmor-0.9.1 → zizmor-0.9.2}/src/audit/template_injection.rs RENAMED Viewed

@@ -70,6 +70,8 @@ const SAFE_CONTEXTS: &[&str] = &[
     "runner.os",
     // GitHub Actions temporary directory, value controlled by the runner itself.
     "runner.temp",
+    // GitHub Actions cached tool directory, value controlled by the runner itself.
+    "runner.tool_cache",
 ];
 impl TemplateInjection {
@@ -185,8 +187,10 @@ impl TemplateInjection {
                             // The matrix is generated by an expression, meaning
                             // that it's trivially not static.
                             Some(LoE::Expr(_)) => false,
-                            Some(inner) => models::Matrix::new(inner).is_static(),
+                            // The matrix may expand to static values according to the context
+                            Some(inner) => {
+                                models::Matrix::new(inner).expands_to_static_values(context)
+                            }
                             // Context specifies a matrix, but there is no matrix defined.
                             // This is an invalid workflow so there's no point in flagging it.
                             None => continue,

{zizmor-0.9.1 → zizmor-0.9.2}/src/audit/use_trusted_publishing.rs RENAMED Viewed

@@ -7,6 +7,7 @@ use indexmap::IndexMap;
 use super::{audit_meta, WorkflowAudit};
 use crate::{
     finding::{Confidence, Severity},
+    models::Uses,
     state::AuditState,
 };
@@ -77,52 +78,38 @@ impl WorkflowAudit for UseTrustedPublishing {
             return Ok(findings);
         };
-        if uses.starts_with("pypa/gh-action-pypi-publish") {
-            if self.pypi_publish_uses_manual_credentials(with) {
-                findings.push(
-                    Self::finding()
-                        .severity(Severity::Informational)
-                        .confidence(Confidence::High)
-                        .add_location(
-                            step.location()
-                                .with_keys(&["uses".into()])
-                                .annotated("this step"),
-                        )
-                        .add_location(
-                            step.location()
-                                .with_keys(&["with".into(), "password".into()])
-                                .annotated(USES_MANUAL_CREDENTIAL),
-                        )
-                        .build(step.workflow())?,
-                );
-            }
-        } else if uses.starts_with("rubygems/release-gem") {
-            if self.release_gem_uses_manual_credentials(with) {
-                findings.push(
-                    Self::finding()
-                        .severity(Severity::Informational)
-                        .confidence(Confidence::High)
-                        .add_location(
-                            step.location()
-                                .with_keys(&["uses".into()])
-                                .annotated("this step"),
-                        )
-                        .add_location(step.location().annotated(USES_MANUAL_CREDENTIAL))
-                        .build(step.workflow())?,
-                );
-            }
-        } else if uses.starts_with("rubygems/configure-rubygems-credential")
-            && self.rubygems_credential_uses_manual_credentials(with)
+        let Some(Uses::Repository(uses)) = Uses::from_step(uses) else {
+            return Ok(findings);
+        };
+        let candidate = Self::finding()
+            .severity(Severity::Informational)
+            .confidence(Confidence::High)
+            .add_location(
+                step.location()
+                    .with_keys(&["uses".into()])
+                    .annotated("this step"),
+            );
+        if uses.matches("pypa/gh-action-pypi-publish")
+            && self.pypi_publish_uses_manual_credentials(with)
         {
             findings.push(
-                Self::finding()
-                    .severity(Severity::Informational)
-                    .confidence(Confidence::High)
+                candidate
                     .add_location(
                         step.location()
-                            .with_keys(&["uses".into()])
-                            .annotated("this step"),
+                            .with_keys(&["with".into(), "password".into()])
+                            .annotated(USES_MANUAL_CREDENTIAL),
                     )
+                    .build(step.workflow())?,
+            );
+        } else if ((uses.matches("rubygems/release-gem"))
+            && self.release_gem_uses_manual_credentials(with))
+            || (uses.matches("rubygems/configure-rubygems-credential")
+                && self.rubygems_credential_uses_manual_credentials(with))
+        {
+            findings.push(
+                candidate
                     .add_location(step.location().annotated(USES_MANUAL_CREDENTIAL))
                     .build(step.workflow())?,
             );

{zizmor-0.9.1 → zizmor-0.9.2}/src/models.rs RENAMED Viewed

@@ -273,11 +273,11 @@ impl<'w> Matrix<'w> {
     }
     /// Checks whether some expanded path leads to an expression
-    pub(crate) fn is_static(&self) -> bool {
-        let expands_to_expression = self
-            .expanded_values
-            .iter()
-            .any(|(_, expansion)| expansion.starts_with("${{") && expansion.ends_with("}}"));
+    pub(crate) fn expands_to_static_values(&self, context: &str) -> bool {
+        let expands_to_expression = self.expanded_values.iter().any(|(path, expansion)| {
+            let expanded_to_expression = expansion.starts_with("${{") && expansion.ends_with("}}");
+            context == path && expanded_to_expression
+        });
         !expands_to_expression
     }
@@ -551,6 +551,24 @@ pub(crate) struct RepositoryUses<'a> {
 }
 impl RepositoryUses<'_> {
+    /// Returns whether this `uses:` clause "matches" the given template.
+    /// The template is itself formatted like a normal `uses:` clause.
+    ///
+    /// This is an asymmetrical match: `actions/checkout@v3` "matches"
+    /// the `actions/checkout` template but not vice versa.
+    pub(crate) fn matches(&self, template: &str) -> bool {
+        let Some(Uses::Repository(other)) = Uses::from_step(template) else {
+            return false;
+        };
+        self.owner == other.owner
+            && self.repo == other.repo
+            && self.subpath == other.subpath
+            && other
+                .git_ref
+                .map_or(true, |git_ref| Some(git_ref) == self.git_ref)
+    }
     pub(crate) fn ref_is_commit(&self) -> bool {
         match self.git_ref {
             Some(git_ref) => git_ref.len() == 40 && git_ref.chars().all(|c| c.is_ascii_hexdigit()),
@@ -926,4 +944,33 @@ mod tests {
             .unwrap()
             .ref_is_commit());
     }
+    #[test]
+    fn test_repositoryuses_matches() {
+        for (uses, template, matches) in [
+            // OK: `uses:` is more specific than template
+            ("actions/checkout@v3", "actions/checkout", true),
+            ("actions/checkout/foo@v3", "actions/checkout/foo", true),
+            // OK: equally specific
+            ("actions/checkout@v3", "actions/checkout@v3", true),
+            ("actions/checkout", "actions/checkout", true),
+            ("actions/checkout/foo", "actions/checkout/foo", true),
+            ("actions/checkout/foo@v3", "actions/checkout/foo@v3", true),
+            // NOT OK: owner/repo do not match
+            ("actions/checkout@v3", "foo/checkout", false),
+            ("actions/checkout@v3", "actions/bar", false),
+            // NOT OK: subpath does not match
+            ("actions/checkout/foo", "actions/checkout", false),
+            ("actions/checkout/foo@v3", "actions/checkout@v3", false),
+            // NOT OK: template is more specific than `uses:`
+            ("actions/checkout", "actions/checkout@v3", false),
+            ("actions/checkout/foo", "actions/checkout/foo@v3", false),
+        ] {
+            let Some(Uses::Repository(uses)) = Uses::from_common(uses) else {
+                panic!();
+            };
+            assert_eq!(uses.matches(template), matches)
+        }
+    }
 }

{zizmor-0.9.1 → zizmor-0.9.2}/tests/snapshot.rs RENAMED Viewed

@@ -197,6 +197,7 @@ fn self_hosted() -> Result<()> {
         .workflow(workflow_under_test("self-hosted/issue-283-repro.yml"))
         .args(["--persona=auditor"])
         .run()?);
     Ok(())
 }
@@ -244,5 +245,11 @@ fn template_injection() -> Result<()> {
         .args(["--persona=auditor"])
         .run()?);
+    // Fixed regressions
+    insta::assert_snapshot!(zizmor()
+        .workflow(workflow_under_test("template-injection/issue-22-repro.yml"))
+        .run()?);
     Ok(())
 }

zizmor-0.9.2/tests/snapshots/snapshot__template_injection-3.snap ADDED Viewed

@@ -0,0 +1,6 @@
+---
+source: tests/snapshot.rs
+expression: "zizmor().workflow(workflow_under_test(\"template-injection/issue-22-repro.yml\")).run()?"
+snapshot_kind: text
+---
+No findings to report. Good job! (4 suppressed)

zizmor-0.9.2/tests/test-data/template-injection/issue-22-repro.yml ADDED Viewed

@@ -0,0 +1,64 @@
+# Adapted from :
+# https://github.com/python/cpython/blob/e2325c9db0650fc06d909eb2b5930c0573f24f71/.github/workflows/jit.yml
+# See also https://github.com/woodruffw/zizmor/issues/22#issuecomment-2543128489
+name: JIT
+on:
+  pull_request:
+jobs:
+  jit:
+    name: ${{ matrix.target }} (${{ matrix.debug && 'Debug' || 'Release' }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - x86_64-apple-darwin/clang
+          - aarch64-apple-darwin/clang
+          - x86_64-unknown-linux-gnu/gcc
+          - aarch64-unknown-linux-gnu/gcc
+        debug:
+          - true
+          - false
+        llvm:
+          - 19
+        include:
+          - target: aarch64-apple-darwin/clang
+            architecture: aarch64
+            runner: macos-14
+          - target: x86_64-unknown-linux-gnu/gcc
+            architecture: x86_64
+            runner: ubuntu-24.04
+          - target: aarch64-unknown-linux-gnu/gcc
+            architecture: aarch64
+            # Should not be flagged in the template injection audit
+            runner: ${{ github.repository_owner == 'python' && 'ubuntu-24.04-aarch64' || 'ubuntu-24.04' }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Native macOS
+        if: runner.os == 'macOS'
+        run: |
+          brew update
+          find /usr/local/bin -lname '*/Library/Frameworks/Python.framework/*' -delete
+          brew install llvm@${{ matrix.llvm }}
+          export SDKROOT="$(xcrun --show-sdk-path)"
+          ./configure --enable-experimental-jit ${{ matrix.debug && '--with-pydebug' || '' }}
+          make all --jobs 4
+          ./python.exe -m test --multiprocess 0 --timeout 4500 --verbose2 --verbose3
+      - name: Native Linux
+        if: runner.os == 'Linux' && (matrix.architecture == 'x86_64' || github.repository_owner == 'python')
+        run: |
+          sudo bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)" ./llvm.sh ${{ matrix.llvm }}
+          export PATH="$(llvm-config-${{ matrix.llvm }} --bindir):$PATH"
+          ./configure --enable-experimental-jit ${{ matrix.debug && '--with-pydebug' || '' }}
+          make all --jobs 4
+          ./python -m test --multiprocess 0 --timeout 4500 --verbose2 --verbose3