Unset/reject environment variables that may unexpectedly affect bash

behavior
2026-04-21 07:00:27 +00:00 · 2026-04-19 10:14:16 +09:00
parent ff5a208d55
commit e15ecae65f
3 changed files with 17 additions and 4 deletions
--- a/.github/.cspell/project-dictionary.txt
+++ b/.github/.cspell/project-dictionary.txt
@@ -2,6 +2,7 @@ almalinux
 archlinux
 binstall
 callgrind
+CDPATH
 coreutils
 covgate
 cyclonedx
--- a/action.yml
+++ b/action.yml
@@ -22,7 +22,10 @@ runs:
  using: composite
  steps:
    - run: |
-        set -eu
+        if /usr/bin/env | grep -Eq '^BASH_FUNC_'; then
+          printf '::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons\n'
+          exit 1
+        fi
        if ! command -v bash >/dev/null; then
          if grep -Eq '^ID=alpine' /etc/os-release; then
            printf '::group::Install packages required for install-action (bash)\n'
@@ -41,7 +44,7 @@ runs:
          fi
        fi
        bash --noprofile --norc "${GITHUB_ACTION_PATH:?}/main.sh"
-      shell: sh
+      shell: /usr/bin/env -u ENV -u BASH_ENV -u CDPATH -u SHELLOPTS -u BASHOPTS /bin/sh -eu {0} # zizmor: ignore[misfeature] false positive
      env:
        # NB: Sync with Windows case.
        INPUT_TOOL: ${{ inputs.tool }}
@@ -54,6 +57,15 @@ runs:
    # https://github.com/actions/partner-runner-images/issues/169
    - run: |
        Set-StrictMode -Version Latest
+        if (Test-Path "Env:ENV") { Remove-Item Env:\ENV }
+        if (Test-Path "Env:BASH_ENV") { Remove-Item Env:\BASH_ENV }
+        if (Test-Path "Env:CDPATH") { Remove-Item Env:\CDPATH }
+        if (Test-Path "Env:SHELLOPTS") { Remove-Item Env:\SHELLOPTS }
+        if (Test-Path "Env:BASHOPTS") { Remove-Item Env:\BASHOPTS }
+        if (Test-Path "Env:BASH_FUNC_*") {
+          Write-Output "::error::bash function injection via BASH_FUNC_ environment variable is not allowed for security reasons"
+          exit 1
+        }
        for ($i=1; $i -le 10; $i++) {
          $prev_err_action = $ErrorActionPreference
          $ErrorActionPreference = "Continue"
--- a/tools/tidy.sh
+++ b/tools/tidy.sh
@@ -27,14 +27,14 @@ fi
 if [[ -n "${TIDY_DEV:-}" ]]; then
  image="ghcr.io/taiki-e/tidy:latest"
 else
-  image="ghcr.io/taiki-e/tidy@sha256:bce85a4321f80c09f2b68420e9149bcf7c085130ab1e1fca54443f76833cd184"
+  image="ghcr.io/taiki-e/tidy@sha256:71def761a5585e83a2672c4051aee13cd886ad5571215aee52f193454bb3cdff"
 fi
 user="$(id -u):$(id -g)"
 workdir=$(pwd)
 tmp=$(mktemp -d)
 trap -- 'rm -rf -- "${tmp:?}"' EXIT
 mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
-touch -- "${tmp}"/dummy
+printf '' >"${tmp}"/dummy
 code=0
 color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then