[BUG]: Duplicate findings for code injection #233
Description
Pre-submission checks
- I am not filing a feature request. These should be filed via the feature request form instead.
- I have looked through the open issues for a duplicate report.
Expected behavior
There should be 3 findings instead of 5 findings. The findings on line 55 and 74 appear to be duplicated (i could not see any visual differences in the outputs using the standard output format)
Actual behavior
🌈 completed docs.yml
warning[artipacked]: credential persistence through GitHub Actions artifacts
--> /Users/wtan/Projects/zizmor/docs.yml:38:9
|
38 | - name: Checkout Repository
| _________-
39 | | uses: actions/checkout@v4
... |
43 | | ref: ${{ github.head_ref || github.ref }}
44 | | fetch-depth: 0
| |________________________- does not set persist-credentials: false
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:55:9
|
55 | - name: Update Docs Reference Section and Push Changes
| ---------------------------------------------------- info: this step
56 | continue-on-error: true
57 | run: |
| _________-
58 | | python docs/build_reference.py
... |
66 | | echo "No changes to commit"
67 | | fi
| |____________- info: github.head_ref may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:55:9
|
55 | - name: Update Docs Reference Section and Push Changes
| ---------------------------------------------------- info: this step
56 | continue-on-error: true
57 | run: |
| _________-
58 | | python docs/build_reference.py
... |
66 | | echo "No changes to commit"
67 | | fi
| |____________- info: github.ref may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:74:9
|
74 | - name: Commit and Push Docs changes
| ---------------------------------- info: this step
75 | continue-on-error: true
76 | if: always()
77 | run: |
| _________-
78 | | git pull origin ${{ github.head_ref || github.ref }}
... |
85 | | echo "No changes to commit"
86 | | fi
| |____________- info: github.head_ref may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:74:9
|
74 | - name: Commit and Push Docs changes
| ---------------------------------- info: this step
75 | continue-on-error: true
76 | if: always()
77 | run: |
| _________-
78 | | git pull origin ${{ github.head_ref || github.ref }}
... |
85 | | echo "No changes to commit"
86 | | fi
| |____________- info: github.ref may expand into attacker-controllable code
|
= note: audit confidence → Low
info[template-injection]: code injection via template expansion
--> /Users/wtan/Projects/zizmor/docs.yml:87:9
|
87 | - name: Publish Docs to https://docs.ultralytics.com
| -------------------------------------------------- info: this step
88 | if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_docs == 'true')
89 | run: |
| _________-
90 | | git clone https://github.com/ultralytics/docs.git docs-repo
... |
102 | | git push https://${{ secrets._GITHUB_TOKEN }}@github.com/ultralytics/docs.git gh-pages
103 | | fi
| |_____________- info: steps.check_pypi.outputs.version may expand into attacker-controllable code
|
= note: audit confidence → Low
9 findings (3 suppressed): 0 unknown, 5 informational, 0 low, 1 medium, 0 high
some of the code injection via template expansion findings appear twice for some reason
Reproduction steps
zizmor version: 3a3a5c8
- run zizmor on the following workflow: https://raw.githubusercontent.com/ultralytics/ultralytics/efbcf444a1082e458b923e06acf306c380902eb6/.github/workflows/docs.yml with no other arguments
Logs
No response
Additional context
No response