Location
- File:
.github/actions/setup-zig/action.yml
- Lines: 9-33
Classification
| Property |
Value |
| Severity |
Medium |
| Category |
Other |
| CWE |
CWE-CWE-494 |
| OWASP |
A08:2021-Software and Data Integrity Failures |
| Confidence |
Suspected |
| Likelihood |
Medium |
Technical Description
The setup-zig composite action downloads a Zig compiler tarball from ziglang.org and extracts it without verifying its integrity via a cryptographic hash (SHA-256 checksum). The version string is extracted via grep/sed from build.zig.zon (which could be tampered with in a PR), and the tarball is fetched over HTTPS and piped directly to tar for extraction.
While HTTPS provides transport security, it does not protect against:
- A compromised upstream CDN or mirror serving a backdoored binary
- A malicious PR that modifies
build.zig.zon to point to an attacker-controlled version string (e.g., 0.15.2/../../attacker-path — though curl -f would likely catch this, the version string is still untrusted in the PR context)
The CI workflow checks out PR code (which includes build.zig.zon) and then runs the composite action that reads the version from that file. A malicious PR author could change the minimum_zig_version to an arbitrary string that gets interpolated into the download URL.
This is a supply-chain risk: if the download is compromised or the version is tampered with, all subsequent build and test steps execute with a potentially malicious compiler.
Vulnerable Code
url="https://ziglang.org/download/${version}/zig-${arch}-${os}-${version}.tar.xz"
echo "Installing Zig ${version} from ${url}"
install_dir="${RUNNER_TOOL_CACHE:-$HOME/.cache}/zig"
mkdir -p "$install_dir"
curl -sSfL "$url" | tar -xJ -C "$install_dir"
Impact
Network: A supply-chain attacker who compromises the Zig download CDN, or a malicious PR author who modifies build.zig.zon, could cause the CI runner to download and execute a trojaned compiler. This would compromise all build artifacts and test results, and in the release workflow, could lead to distribution of backdoored release binaries.
Remediation
Add checksum verification after downloading the Zig tarball. Maintain a known-good hash for the expected Zig version, either in the action itself or in a companion file. Download to a temporary file, verify the hash, then extract.
Additionally, consider pinning the version string within the action or validating it against an allowlist pattern to prevent URL injection from untrusted build.zig.zon modifications.
Created by Cerberus Merlin
Location
.github/actions/setup-zig/action.ymlClassification
Technical Description
The
setup-zigcomposite action downloads a Zig compiler tarball fromziglang.organd extracts it without verifying its integrity via a cryptographic hash (SHA-256 checksum). Theversionstring is extracted viagrep/sedfrombuild.zig.zon(which could be tampered with in a PR), and the tarball is fetched over HTTPS and piped directly totarfor extraction.While HTTPS provides transport security, it does not protect against:
build.zig.zonto point to an attacker-controlled version string (e.g.,0.15.2/../../attacker-path— thoughcurl -fwould likely catch this, the version string is still untrusted in the PR context)The CI workflow checks out PR code (which includes
build.zig.zon) and then runs the composite action that reads the version from that file. A malicious PR author could change theminimum_zig_versionto an arbitrary string that gets interpolated into the download URL.This is a supply-chain risk: if the download is compromised or the version is tampered with, all subsequent build and test steps execute with a potentially malicious compiler.
Vulnerable Code
Impact
Network: A supply-chain attacker who compromises the Zig download CDN, or a malicious PR author who modifies
build.zig.zon, could cause the CI runner to download and execute a trojaned compiler. This would compromise all build artifacts and test results, and in the release workflow, could lead to distribution of backdoored release binaries.Remediation
Add checksum verification after downloading the Zig tarball. Maintain a known-good hash for the expected Zig version, either in the action itself or in a companion file. Download to a temporary file, verify the hash, then extract.
Additionally, consider pinning the version string within the action or validating it against an allowlist pattern to prevent URL injection from untrusted
build.zig.zonmodifications.Created by Cerberus Merlin