verify-action-build: match TS generics on @actions/http-client *Json calls

potiuk · potiuk · commit 8c178a61669f · 2026-05-04T10:49:38.000+02:00
Commit 920d616 added postJson/getJson/etc. as data-parse markers but the regex required `(` directly after `Json`. The real call site in rubygems/configure-rubygems-credentials v2.0.0 is `http.postJson<IdToken>(...)` — the TypeScript generic between `Json` and `(` defeated the match, so PR #795 still showed both src/oidc/assumeRole.ts and trustedPublisher.ts as unverified downloads. Allow an optional `<...>` between `Json` and `(`, and tighten the RUBYGEMS_OIDC_EXCHANGE fixture so it mirrors the v2.0.0 source verbatim (including the generic and IdTokenSchema.parse on the result). The fixture omitting the generic was the crack the original fix slipped through.
diff --git a/utils/tests/verify_action_build/test_security.py b/utils/tests/verify_action_build/test_security.py
@@ -864,10 +864,12 @@ def test_split_alone_exempts(self):
         assert _file_is_pure_data_fetch(split_fetch) is True
         assert _find_binary_downloads_js(split_fetch) == []
 
-    # The exact pattern that triggered the false positive on PR #789
+    # The exact pattern that triggered the false positive on PR #789 / #795
     # (rubygems/configure-rubygems-credentials, transitively pulled in by
     # rubygems/release-gem): @actions/http-client postJson against an OIDC
     # token-exchange endpoint. The response is a credential, not a binary.
+    # The ``<IdToken>`` generic mirrors the v2.0.0 source verbatim — earlier
+    # versions of this fixture omitted it and quietly hid a regex hole.
     RUBYGEMS_OIDC_EXCHANGE = """\
 import * as core from '@actions/core'
 import {HttpClient} from '@actions/http-client'
@@ -877,8 +879,12 @@ def test_split_alone_exempts(self):
   const webIdentityToken = await core.getIDToken(audience)
   const http = new HttpClient('rubygems-oidc-action')
   const url = `${server}/api/v1/oidc/trusted_publisher/exchange_token`
-  const res = await http.postJson(url, {jwt: webIdentityToken}, {})
-  return res.result
+  const res = await http.postJson<IdToken>(
+    url,
+    {jwt: webIdentityToken},
+    {'content-type': 'application/json', accept: 'application/json'}
+  )
+  return IdTokenSchema.parse(res.result)
 }
 """
 
diff --git a/utils/verify_action_build/security.py b/utils/verify_action_build/security.py
@@ -1080,7 +1080,10 @@ def analyze_action_metadata(
     # delJson/requestJson) auto-parse the response body as JSON. Reaching for
     # these is an explicit "treat the response as structured data" signal
     # — typical of OIDC/RPC token-exchange calls, not binary downloads.
-    re.compile(r"\.(?:get|post|put|patch|del|request)Json\s*\("),
+    # The optional ``<...>`` admits TypeScript generic type parameters
+    # (``http.postJson<IdToken>(...)``); without it the regex misses the
+    # exact call shape rubygems/configure-rubygems-credentials uses.
+    re.compile(r"\.(?:get|post|put|patch|del|request)Json(?:\s*<[^>]*>)?\s*\("),
 ]
 
 # Markers indicating the response is treated as a binary or executable —
