Skip to content

fix(cache-poisoning): evaluate certain cache control expressions#1954

Merged
woodruffw merged 12 commits intozizmorcore:mainfrom
reubenwong97:feat/coordinate-extras
May 1, 2026
Merged

fix(cache-poisoning): evaluate certain cache control expressions#1954
woodruffw merged 12 commits intozizmorcore:mainfrom
reubenwong97:feat/coordinate-extras

Conversation

@reubenwong97
Copy link
Copy Markdown
Contributor

@reubenwong97 reubenwong97 commented Apr 29, 2026

Pre-submission checks

Please check these boxes:

If a checkbox is not applicable, you can leave it unchecked.

Summary

Parses known patterns in cache control expressions to determine if cache is enabled.

Test Plan

Issue reproduction integration test.

Closes #1940

@reubenwong97 reubenwong97 force-pushed the feat/coordinate-extras branch from be00505 to 120e410 Compare April 29, 2026 16:09
@reubenwong97
Copy link
Copy Markdown
Contributor Author

reubenwong97 commented Apr 29, 2026

Hi @woodruffw ,

Can you help to take a look at this when you have time? This is one of the fixes I'm less confident about in my approach.. Broadly speaking I attempted to parse the inner expression into nodes that we recognize and are relevant (in this specific case, it is very targeted to ${{ !startsWith(github.ref, 'refs/tags/') }}. Unrecognized expressions are passed through to the rest of the audit.

I am also not too pleased with the many let-else's I have, but I'm not sure if there is a better way around this..

Thank you!

@woodruffw
Copy link
Copy Markdown
Member

woodruffw commented Apr 29, 2026

Thanks @reubenwong97, I'll be able to review this in the next day or so.

woodruffw
woodruffw reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @reubenwong97! This approach looks good to me overall, I'm just going to push some tweaks + docs.

woodruffw
woodruffw reviewed May 1, 2026
View reviewed changes
Comment thread crates/zizmor/src/audit/cache_poisoning.rs Outdated
@woodruffw woodruffw added the bugfix Fixes a known bug label May 1, 2026
@woodruffw woodruffw added this to the 1.25.0 milestone May 1, 2026
@woodruffw woodruffw force-pushed the feat/coordinate-extras branch from aafc8ce to fa3cb63 Compare May 1, 2026 03:00
@woodruffw
Capture multiple triggers
5202a79 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
More clippy
b4a7d21 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Another heuristic test
f8f91ee 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Record changes
5287bc7 
Signed-off-by: William Woodruff <[email protected]>
woodruffw
woodruffw approved these changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @reubenwong97! I think there's a lot of other heuristics we could apply here over time (like for other triggers), but this is a great foundation.

@woodruffw woodruffw enabled auto-merge (squash) May 1, 2026 03:35
@woodruffw woodruffw merged commit 31e0647 into zizmorcore:main May 1, 2026
12 checks passed
@reubenwong97 reubenwong97 deleted the feat/coordinate-extras branch May 1, 2026 03:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

bugfix Fixes a known bug

Projects

None yet

Milestone

1.25.0

2 participants

@reubenwong97 @woodruffw