fix(obfuscation): don't consider fromJSON(...) constant-reducible (#1178)

2025-12-23 08:47:33 +00:00 · 2025-09-26 00:25:39 -04:00 · 2025-09-26 00:25:39 -04:00 · 9ed3607f8f
commit 9ed3607f8f
parent ffd91b1eb1
5 changed files with 35 additions and 1 deletions
--- a/crates/github-actions-expressions/src/lib.rs
+++ b/crates/github-actions-expressions/src/lib.rs
@ -304,7 +304,10 @@ impl<'src> Expr<'src> {
                    || func == "startsWith"
                    || func == "endsWith"
                    || func == "toJSON"
-                    || func == "fromJSON"
+                    // TODO(ww): `fromJSON` *is* frequently reducible, but
+                    // doing so soundly with subexpressions is annoying.
+                    // We overapproximate for now and consider it non-reducible.
+                    // || func == "fromJSON"
                    || func == "join"
                {
                    args.iter().all(|e| e.constant_reducible())
--- a/crates/zizmor/tests/integration/snapshot.rs
+++ b/crates/zizmor/tests/integration/snapshot.rs
@ -812,6 +812,13 @@ fn obfuscation() -> Result<()> {
            .run()?
    );

+    insta::assert_snapshot!(
+        zizmor()
+            .input(input_under_test("obfuscation/issue-1177-repro.yml"))
+            .args(["--persona=pedantic"])
+            .run()?
+    );
+
    Ok(())
 }

--- a/crates/zizmor/tests/integration/snapshots/integrationsnapshotobfuscation-3.snap
+++ b/crates/zizmor/tests/integration/snapshots/integrationsnapshotobfuscation-3.snap
@ -0,0 +1,5 @@
+---
+source: crates/zizmor/tests/integration/snapshot.rs
+expression: "zizmor().input(input_under_test(\"obfuscation/issue-1177-repro.yml\")).args([\"--persona=pedantic\"]).run()?"
+---
+No findings to report. Good job!
--- a/crates/zizmor/tests/integration/test-data/obfuscation/issue-1177-repro.yml
+++ b/crates/zizmor/tests/integration/test-data/obfuscation/issue-1177-repro.yml
@ -0,0 +1,16 @@
+# https://github.com/zizmorcore/zizmor/issues/1177
+
+name: Issue 1177 Repro
+on: [push, pull_request]
+
+permissions: {}
+
+jobs:
+  issue-1177-repro:
+    # we should not flag this as an obfuscation finding, since it's
+    # not actually constant reducible to `!contains(Array, ...)`
+    if: ${{ !contains(fromJSON('["push", "pull_request"]'), github.event_name) }}
+    name: issue-1177-repro
+    runs-on: ubuntu-latest
+    steps:
+      - run: true
--- a/docs/release-notes.md
+++ b/docs/release-notes.md
@ -41,6 +41,9 @@ of `zizmor`.
  some cache usage variants in newer versions of `actions/setup-node`
  (#1152)

+* Fixed a bug where the [obfuscation] audit would incorrectly flag
+  some subexpressions as constant-reducible when they were not (#1170)
+
 ### Deprecations ⚠️

 * The `unknown` values for `--min-severity` and `--min-confidence`