Skip to content

fix: resolve template injection points#103

Merged
rapids-bot[bot] merged 6 commits intomainfrom
securitize
Apr 24, 2026
Merged

fix: resolve template injection points#103
rapids-bot[bot] merged 6 commits intomainfrom
securitize

Conversation

@gforsyth
Copy link
Copy Markdown
Contributor

@gforsyth gforsyth commented Apr 24, 2026
edited
Loading

This PR fixes several classes of security vulnerability. The diff isn't as big as I had feared, but I've also binned each set of vulnerability mitigation into separate commits for ease of review.

Changes

  • all upstream actions are pinned to SHAs (with versions in comments, so renovate still works
  • all permissions are explicitly set now, and we don't persist credentials
  • all inputs are sanitized -- this is done by moving inputs to env-variables and referencing those - there are a few places where I'm also trimming out newlines from inputs, I don't think that's actually necessary but it doesn't hurt.
  • added zizmor to pre-commit so these fixes stay in place

Keeping this as a draft for the moment.
I'll open a PR in a few RAPIDS repos pointing at this branch to confirm this doesn't break anything.

@gforsyth gforsyth added improvement Improves an existing functionality non-breaking Introduces a non-breaking change labels Apr 24, 2026
bdice
bdice approved these changes Apr 24, 2026
View reviewed changes
Comment thread telemetry-dispatch-setup/action.yml Outdated
using: 'composite'
steps:
- uses: rapidsai/shared-actions/telemetry-impls/load-then-clone@main
- uses: rapidsai/shared-actions/telemetry-impls/load-then-clone@c7f296f0a71159e86f1a676b8fd1a733c54f5563 # main
Copy link
Copy Markdown
Contributor

@bdice bdice Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to self-pin?

Copy link
Copy Markdown
Contributor Author

@gforsyth gforsyth Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, no, we don't

@gforsyth gforsyth marked this pull request as ready for review April 24, 2026 14:46
@gforsyth gforsyth requested a review from a team as a code owner April 24, 2026 14:46
@gforsyth gforsyth requested a review from KyleFromNVIDIA April 24, 2026 14:46
@gforsyth
Copy link
Copy Markdown
Contributor Author

gforsyth commented Apr 24, 2026

Tested these changes in https://github.com/rapidsai/rmm/actions/runs/24892475684/job/72888704206?pr=2369 and all seems well. Going to merge this.

@gforsyth
Copy link
Copy Markdown
Contributor Author

gforsyth commented Apr 24, 2026

/merge

@rapids-bot rapids-bot Bot merged commit c004d83 into main Apr 24, 2026
3 checks passed
@gforsyth gforsyth deleted the securitize branch April 24, 2026 14:50
@gforsyth gforsyth mentioned this pull request May 4, 2026
Open
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdice bdice bdice approved these changes

@KyleFromNVIDIA KyleFromNVIDIA Awaiting requested review from KyleFromNVIDIA KyleFromNVIDIA is a code owner automatically assigned from rapidsai/ci-codeowners

Assignees

No one assigned

Labels

improvement Improves an existing functionality non-breaking Introduces a non-breaking change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gforsyth @bdice