GH Actions: always use env for handling user input

[jrfnl]

GitHub Actions allows workflows to define template expansions, which occur within special ${{ ... }} delimiters. These expansions happen before workflow and job execution, meaning the expansion of a given expression appears verbatim in whatever context it was performed in.

Template expansions aren't syntax-aware, meaning that they can result in unintended shell injection vectors. This is especially true when they're used with attacker-controllable expression contexts, such as github.event.issue.title (which the attacker can fully control by supplying a new issue title).

Ref:

• https://securitylab.github.com/resources/github-actions-untrusted-input/
• https://docs.zizmor.sh/audits/#template-injection

[jrfnl]

@BinaryKitten @fredden Would either of you have time to review this PR ? As this is bash and the PR is largely auto-generated via zizmor, with a fixer in beta, I would very much appreciate a second opinion on whether these fixes look correct.

[jrfnl]

FYI, there are three more of the same kind of issues reported via zizmor, which it didn't auto-fix (but which may need fixing):

error[template-injection]: code injection via template expansion
  --> .\action.yml:67:22
   |
62 |       run: |
   |       --- this run block
...
67 |           if [[ "${{ endsWith( env.XSD_FILE, '.xsd' ) }}" == "false" ]]; then
   |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → Unknown

error[template-injection]: code injection via template expansion
   --> .\action.yml:108:22
    |
103 |       run: |
    |       --- this run block
...
108 |           if [[ "${{ startsWith( env.XSD_URL, 'http://' ) || startsWith( env.XSD_URL, 'https://' ) || startsWith( env.XSD_URL, 'ftp://' ) }}...
    |                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Unknown

error[template-injection]: code injection via template expansion
   --> .\action.yml:112:24
    |
103 |       run: |
    |       --- this run block
...
112 |           elif [[ "${{ endsWith( env.XSD_URL, '.xsd' ) }}" == "false" ]]; then
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
    |
    = note: audit confidence → Unknown

[fredden]

ends with and starts with look like GitHub Actions special functions. Those can be rewritten in bash syntax. Looking at the code though, I don't understand how these can expand into attacker-controlled code. Is there a reference that explains this case?

[jrfnl]

ends with and starts with look like GitHub Actions special functions. Those can be rewritten in bash syntax. Looking at the code though, I don't understand how these can expand into attacker-controlled code. Is there a reference that explains this case?

Yeah, my own imagination is running short a bit on these too, but here's an article someone pointed me too, which I still have to read myself too: https://www.synacktiv.com/publications/github-actions-exploitation-untrusted-input