Skip to content

fix(api-docs/rust): close template-injection on ref + pin cargo-doc-md #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
WomB0ComB0 merged 1 commit into from
May 10, 2026
Merged

fix(api-docs/rust): close template-injection on ref + pin cargo-doc-md #70

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions automation/source-repo-templates/api-docs.rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,17 @@ jobs:
# Single source of truth for the ref this run documents.
# workflow_dispatch can pass an alternate ref via inputs.ref;
# fall back to github.ref_name (already stripped of refs/...).
#
# The ref is routed through env: instead of being inlined via
# ${{ }}. Inlining at template-expansion time would interpolate
# the raw string into the shell literal, so a tag name with a
# single quote (Git allows it) could break out of the quoted
# context. Env indirection keeps user-controlled data on the
# variable side of the shell parser, where it cannot escape.
env:
REF_RAW: ${{ inputs.ref || github.ref_name }}
Comment on lines +52 to +53
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

While routing the ref through an environment variable successfully prevents shell injection in the run block, the subsequent logic that writes this value to $GITHUB_ENV (lines 61-63) remains vulnerable to environment variable injection. Since inputs.ref is user-controlled and can contain newlines, a malicious input could be used to set arbitrary environment variables for subsequent steps. Consider using a unique delimiter for the $GITHUB_ENV assignment or validating the input format.

run: |
raw='${{ inputs.ref || github.ref_name }}'
raw="$REF_RAW"
raw="${raw#refs/tags/}"
raw="${raw#refs/heads/}"
slug="${raw//\//-}"
Expand All @@ -68,9 +77,15 @@ jobs:
# `cargo install` rebuilds quickly when its version doesn't
# change between runs because the runner's cache reuses the
# cargo registry.
#
# The version is pinned because this binary runs with the
# repo's checkout in scope and the DOCS_REPO_PR_TOKEN secret in
# env. `--locked` alone only locks transitive resolution; it
# does NOT pin the cargo-doc-md package itself. Bumping
# requires reviewing the upstream release diff.
Comment on lines +81 to +85
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The comment states that DOCS_REPO_PR_TOKEN is in the environment (env), but this secret is only passed as an input to specific actions in later steps. It is not available in the environment of this cargo install step. While pinning the version is a good security practice, the comment should be updated for accuracy to avoid misleading future maintainers about secret exposure.

        # The version is pinned because this binary runs with the
        # repo's checkout in scope. Pinning prevents supply-chain
        # attacks where a compromised package could attempt to
        # exfiltrate secrets (like DOCS_REPO_PR_TOKEN) in later steps.
        # --locked alone does NOT pin the package itself. Bumping
        # requires reviewing the upstream release diff.

run: |
rustup toolchain install nightly --profile minimal --no-self-update
cargo install cargo-doc-md --locked
cargo install --locked --version 0.11.0 cargo-doc-md

- name: Generate rustdoc markdown
# Run cargo-doc-md across the workspace. Output goes to
Expand Down
Loading