Extract context patterns from webhook schemata (#745)

Author: woodruffw

.github/workflows/codegen.yml

@@ -0,0 +1,83 @@
+name: Code generation 🤖
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 12 * * 1'
+
+permissions: {}
+
+env:
+  PR_ASSIGNEES: woodruffw
+
+jobs:
+  refresh-schemas:
+    name: Refresh JSON schemas 📈
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # for creating branches
+      pull-requests: write # for opening PRs
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: try to refresh schemas
+        run: |
+          make refresh-schemas
+
+      - name: create PR
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          commit-message: "[BOT] update JSON schemas from SchemaStore"
+          branch: refresh-schemas
+          branch-suffix: timestamp
+          title: "[BOT] update JSON schemas from SchemaStore"
+          body: |
+            :robot: :warning: :robot:
+
+            This is an automated pull request, updating the embedded JSON
+            schemas after a SchemaStore change was detected.
+
+            Please review manually before merging.
+          assignees: ${{ env.PR_ASSIGNEES }}
+          reviewers: ${{ env.PR_ASSIGNEES }}
+
+  refresh-context-capabilities:
+    name: Refresh context capabilities *️⃣
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # for creating branches
+      pull-requests: write # for opening PRs
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
+
+      - name: try to refresh context capabilities
+        run: |
+          make webhooks-to-contexts
+
+      - name: create PR
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          commit-message: "[BOT] update context capabilities"
+          branch: refresh-context-capabilities
+          branch-suffix: timestamp
+          title: "[BOT] update context-capabilities from GitHub webhooks"
+          body: |
+            :robot: :warning: :robot:
+
+            This is an automated pull request, updating the
+            context capabilities CSV after a change to GitHub's
+            webhooks was detected.
+
+            Please review manually before merging.
+          assignees: ${{ env.PR_ASSIGNEES }}
+          reviewers: ${{ env.PR_ASSIGNEES }}

.github/workflows/refresh-schemas.yml

@@ -30,8 +30,10 @@ clap = "4.5.38"
 clap-verbosity-flag = { version = "3.0.2", default-features = false }
 clap_complete = "4.5.50"
 clap_complete_nushell = "4.5.5"
+csv = "1.3.1"
 etcetera = "0.10.0"
 flate2 = "1.1.1"
+fst = "0.4.7"
 http-cache-reqwest = "0.15.1"
 human-panic = "2.0.1"
 ignore = "0.4.23"

Cargo.lock

@@ -31,6 +31,10 @@ refresh-schemas:
 	curl https://json.schemastore.org/github-workflow.json > crates/zizmor/src/data/github-workflow.json
 	curl https://json.schemastore.org/github-action.json > crates/zizmor/src/data/github-action.json
 
+.PHONY: webhooks-to-contexts
+webhooks-to-contexts: support/known-safe-contexts.txt
+	uv run --script --only-group codegen ./support/webhooks-to-contexts.py
+
 .PHONY: pinact
 pinact:
 	pinact run --update --verify

Cargo.toml

@@ -1,5 +1,6 @@
 //! Parsing and matching APIs for GitHub Actions expressions
 //! contexts (e.g. `github.event.name`).
+
 use super::Expr;
 
 /// Represents a context in a GitHub Actions expression.
@@ -47,6 +48,54 @@ impl<'src> Context<'src> {
             _ => None,
         }
     }
+
+    /// Returns the "pattern equivalent" of this context.
+    ///
+    /// This is a string that can be used to efficiently match the context,
+    /// such as is done in `zizmor`'s template-injection audit via a
+    /// finite state transducer.
+    ///
+    /// Returns None if the context doesn't have a sensible pattern
+    /// equivalent, e.g. if it starts with a call.
+    pub fn as_pattern(&self) -> Option<String> {
+        fn push_part(part: &Expr<'_>, pattern: &mut String) {
+            match part {
+                Expr::Identifier(ident) => pattern.push_str(ident.0),
+                Expr::Star => pattern.push('*'),
+                Expr::Index(idx) => match idx.as_ref() {
+                    // foo['bar'] -> foo.bar
+                    Expr::String(idx) => pattern.push_str(idx),
+                    // any kind of numeric or computed index, e.g.:
+                    // foo[0], foo[1 + 2], foo[bar]
+                    _ => pattern.push('*'),
+                },
+                _ => unreachable!("unexpected part in context pattern"),
+            }
+        }
+
+        // TODO: Optimization ideas:
+        // 1. Add a happy path for contexts that contain only
+        //    identifiers? Problem: case normalization.
+        // 2. Use `regex-automata` to return a case insensitive
+        //    automation here?
+        let mut pattern = String::with_capacity(self.raw.len());
+
+        let mut parts = self.parts.iter().peekable();
+
+        let head = parts.next()?;
+        if matches!(head, Expr::Call { .. }) {
+            return None;
+        }
+
+        push_part(head, &mut pattern);
+        for part in parts {
+            pattern.push('.');
+            push_part(part, &mut pattern);
+        }
+
+        pattern.make_ascii_lowercase();
+        Some(pattern)
+    }
 }
 
 impl PartialEq for Context<'_> {
@@ -120,33 +169,28 @@ impl<'src> ContextPattern<'src> {
         }
     }
 
+    fn compare_part(pattern: &str, part: &Expr<'src>) -> bool {
+        if pattern == "*" {
+            true
+        } else {
+            match part {
+                Expr::Identifier(part) => pattern.eq_ignore_ascii_case(part.0),
+                Expr::Index(part) => match part.as_ref() {
+                    Expr::String(part) => pattern.eq_ignore_ascii_case(part),
+                    _ => false,
+                },
+                _ => false,
+            }
+        }
+    }
+
     fn compare(&self, ctx: &Context<'src>) -> Option<Comparison> {
         let mut pattern_parts = self.0.split('.').peekable();
         let mut ctx_parts = ctx.parts.iter().peekable();
 
         while let (Some(pattern), Some(part)) = (pattern_parts.peek(), ctx_parts.peek()) {
-            // TODO: Refactor this; it's way too hard to read.
-            match (*pattern, part) {
-                // Calls can't be compared to patterns.
-                (_, Expr::Call { .. }) => return None,
-                // "*" matches any part.
-                ("*", _) => {}
-                (_, Expr::Star) => return None,
-                (pattern, Expr::Identifier(part)) if !pattern.eq_ignore_ascii_case(part.0) => {
-                    return None;
-                }
-                (pattern, Expr::Index(idx)) => {
-                    // Anything other than a string index is invalid
-                    // for part-wise comparison.
-                    let Expr::String(part) = idx.as_ref() else {
-                        return None;
-                    };
-
-                    if !pattern.eq_ignore_ascii_case(part) {
-                        return None;
-                    }
-                }
-                _ => {}
+            if !Self::compare_part(pattern, part) {
+                return None;
             }
 
             pattern_parts.next();
@@ -253,6 +297,45 @@ mod tests {
         }
     }
 
+    #[test]
+    fn test_context_as_pattern() {
+        for (case, expected) in &[
+            // Basic cases.
+            ("foo", Some("foo")),
+            ("foo.bar", Some("foo.bar")),
+            ("foo.bar.baz", Some("foo.bar.baz")),
+            ("foo.bar.baz_baz", Some("foo.bar.baz_baz")),
+            ("foo.bar.baz-baz", Some("foo.bar.baz-baz")),
+            ("foo.*", Some("foo.*")),
+            ("foo.bar.*", Some("foo.bar.*")),
+            ("foo.*.baz", Some("foo.*.baz")),
+            ("foo.*.*", Some("foo.*.*")),
+            // Case sensitivity.
+            ("FOO", Some("foo")),
+            ("FOO.BAR", Some("foo.bar")),
+            ("FOO.BAR.BAZ", Some("foo.bar.baz")),
+            ("FOO.BAR.BAZ_BAZ", Some("foo.bar.baz_baz")),
+            ("FOO.BAR.BAZ-BAZ", Some("foo.bar.baz-baz")),
+            ("FOO.*", Some("foo.*")),
+            ("FOO.BAR.*", Some("foo.bar.*")),
+            ("FOO.*.BAZ", Some("foo.*.baz")),
+            ("FOO.*.*", Some("foo.*.*")),
+            // Indexes.
+            ("foo.bar.baz[0]", Some("foo.bar.baz.*")),
+            ("foo.bar.baz['abc']", Some("foo.bar.baz.abc")),
+            ("foo.bar.baz[0].qux", Some("foo.bar.baz.*.qux")),
+            ("foo.bar.baz[0].qux[1]", Some("foo.bar.baz.*.qux.*")),
+            ("foo[1][2][3]", Some("foo.*.*.*")),
+            ("foo.bar[abc]", Some("foo.bar.*")),
+            ("foo.bar[abc()]", Some("foo.bar.*")),
+            // Invalid cases
+            ("foo().bar", None),
+        ] {
+            let ctx = Context::try_from(*case).unwrap();
+            assert_eq!(ctx.as_pattern().as_deref(), *expected);
+        }
+    }
+
     #[test]
     fn test_contextpattern_new() {
         for (case, expected) in &[