Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new audit: encourage use of shell: bash #288

Open
2 tasks done
lishaduck opened this issue Dec 13, 2024 · 5 comments
Open
2 tasks done

new audit: encourage use of shell: bash #288

lishaduck opened this issue Dec 13, 2024 · 5 comments
Labels
enhancement New feature or request help wanted Extra attention is needed new-audit New audits

Comments

@lishaduck
Copy link

Pre-submission checks

  • I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
  • I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

When shell: bash isn't set, pipefail and friends aren't enabled. This makes it easy for failing ci to go undetected. Not a security issue per se, but it could be probably be exploited.

Describe the solution you'd like

Warn when there's a runs: clause without an explicit shell argument (ideally suggest using defaults.run.shell, which is much less verbose and leads people into the pit of sucess).

Additional context

I discovered zizmor yesterday, and it's great! It automates a lot of the audits I do and pointed out a lot of others I hadn't considered.
@lishaduck lishaduck added the enhancement New feature or request label Dec 13, 2024
@woodruffw woodruffw added the new-audit New audits label Dec 13, 2024
@woodruffw
Copy link
Owner

Thanks for the request @lishaduck!

This is an interesting one: I agree that this isn't a security issue per se, but is potentially worth flagging at the "auditor" level (since that level is intended for things that need manual review).

For ongoing reference, here's where the current shell behavior in GHA is documented: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#custom-shell -- set -e is enabled by default, but set -o pipefail is only enabled if shell: bash is explicitly set (TIL, I thought setting bash explicitly was exactly the same behaviorally!).

Curious what other users think about this as an audit, as well 🙂

@woodruffw woodruffw changed the title Feature: encourage use of shell: bash new audit: encourage use of shell: bash Dec 13, 2024
@dalito
Copy link

dalito commented Jan 12, 2025
edited
Loading

I also think that it would be a useful addition. See actions/runner-images#6668 for problem of swallowing exit codes in cmd and pwsh shells on Windows runners.

@woodruffw
Copy link
Owner

Thanks for the additional example. Yeah, I'd be OK with an auditor or pedantic-level audit for this!

@woodruffw woodruffw added the help wanted Extra attention is needed label Jan 12, 2025
@lishaduck
Copy link
Author

An even more pedantic suggestion would be to enforce -u as well, so shell: bash -noprofile --norc -euo pipefail {0}.
(-u fails on undefined variables, which is also a potential footgun).

That also pretty verbose, so 🤷‍♂️

@assignUser
Copy link

That also pretty verbose, so 🤷‍♂️

Could be set as the default shell on a workflow level

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed new-audit New audits
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dalito @woodruffw @assignUser @lishaduck