bugfix: template-injection: mark another context as safe (#675)

woodruffw · web-flow · commit db3072104cf3 · 2025-04-16T19:02:27.000Z
diff --git a/docs/release-notes.md b/docs/release-notes.md
@@ -63,6 +63,8 @@ of `zizmor`.
   location spans for YAML inputs with comments inside block sequences (#660)
 * The [template-injection] audit no longer considers
   `github.job` dangerous (#661)
+* The [template-injection] audit no longer considers
+  `github.event.pull_request.head.repo.fork` dangerous (#675)
 
 ## v1.5.2
 
diff --git a/src/audit/template_injection.rs b/src/audit/template_injection.rs
@@ -46,6 +46,7 @@ const SAFE_CONTEXTS: &[&str] = &[
     "github.event.number",
     "github.event.pull_request.base.sha", // hexadecimal SHA ref
     "github.event.pull_request.head.sha", // hexadecimal SHA ref
+    "github.event.pull_request.head.repo.fork", // boolean
     "github.event.pull_request.commits",  // number of commits in PR
     "github.event.pull_request.number",   // the PR's own number
     "github.event.workflow_run.id",
diff --git a/tests/integration/snapshot.rs b/tests/integration/snapshot.rs
@@ -329,6 +329,14 @@ fn template_injection() -> Result<()> {
             .run()?
     );
 
+    insta::assert_snapshot!(
+        zizmor()
+            .input(input_under_test(
+                "template-injection/false-positive-menagerie.yml"
+            ))
+            .run()?
+    );
+
     Ok(())
 }
 
diff --git a/tests/integration/snapshots/integration__snapshot__template_injection-9.snap b/tests/integration/snapshots/integration__snapshot__template_injection-9.snap
@@ -0,0 +1,5 @@
+---
+source: tests/integration/snapshot.rs
+expression: "zizmor().input(input_under_test(\"template-injection/false-positive-menagerie.yml\")).run()?"
+---
+No findings to report. Good job!
diff --git a/tests/integration/test-data/template-injection/false-positive-menagerie.yml b/tests/integration/test-data/template-injection/false-positive-menagerie.yml
@@ -0,0 +1,25 @@
+name: false-positive-menagerie
+
+on: pull_request
+
+permissions: {}
+
+jobs:
+  false-positive-menagerie:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: false-positive-menagerie
+        run: |
+          # PR#402
+          echo "${{ github.action_path }}"
+          # PR#412
+          echo "${{ github.server_url }}"
+          # PR#445
+          echo "${{ github.event.pull_request.base.sha }}"
+          # PR#636
+          echo "${{ github.event.pull_request.head.sha }}"
+          # PR#661
+          echo "${{ github.job }}"
+          # PR#675
+          echo "${{ github.event.pull_request.head.repo.fork }}"
