mitigate "extra_env" code injection via template expansion#23383
Open
cburroughs wants to merge 1 commit into
Open
mitigate "extra_env" code injection via template expansion#23383cburroughs wants to merge 1 commit into
cburroughs wants to merge 1 commit into
Conversation
zizmor does not like any of the places where we allow inputs based template expansion. Example: https://github.com/pantsbuild/pants/security/code-scanning/102 Per the comment "extra_env" is already limited to maintainers due to its vulnerability to shell injection. I'm not sure preventing maintainers from doing template injection is that much of an improvement, but fixing it wasn't much more work than getting an ignore comment to propagate through the yaml machinations. NOTE: LLM assisted for both what zizmor was getting at, and generating the work around.
cburroughs
added
the
release-notes:not-required
Contributor
|
For my own education, what does |
Contributor
Author
|
It runs the tests of a variety of open soruce repos that use Pants. The env var stuff it tied to how it is intended to be used. For example, if we change or add a default ( |
Contributor
Author
|
gentle ping @sureshjoshi as it sounded as your summer is somewhat less crazy now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
zizmor does not like any of the places where we allow inputs based template expansion. Example:
https://github.com/pantsbuild/pants/security/code-scanning/102
Per the comment "extra_env" is already limited to maintainers due to its vulnerability to shell injection. I'm not sure preventing maintainers from doing template injection is that much of an improvement, but fixing it wasn't much more work than getting an ignore comment to propagate through the yaml machinations.
NOTE: LLM assisted for both what zizmor was getting at, and generating the work around.
Test Note: https://github.com/pantsbuild/pants/actions/runs/26538042158/job/78172033584
