feat: another template injection sink

Author: woodruffw

crates/zizmor/src/audit/template_injection.rs

@@ -56,16 +56,22 @@ static ACTION_INJECTION_SINKS: LazyLock<Vec<(RepositoryUsesPattern, Vec<&str>)>>
         )
         .unwrap();
 
-        // These sinks are not tracked by CodeQL (yet)
-        sinks.push(("amadevus/pwsh-script".parse().unwrap(), vec!["script"]));
-        sinks.push((
-            "jannekem/run-python-script-action".parse().unwrap(),
-            vec!["script"],
-        ));
-        sinks.push((
-            "cardinalby/js-eval-action".parse().unwrap(),
-            vec!["expression"],
-        ));
+        sinks.extend([
+            // These sinks are not tracked by CodeQL (yet)
+            ("amadevus/pwsh-script".parse().unwrap(), vec!["script"]),
+            (
+                "jannekem/run-python-script-action".parse().unwrap(),
+                vec!["script"],
+            ),
+            (
+                "cardinalby/js-eval-action".parse().unwrap(),
+                vec!["expression"],
+            ),
+            (
+                "addnab/docker-run-action".parse().unwrap(),
+                vec!["options", "run"],
+            ),
+        ]);
         sinks
     });
 

crates/zizmor/tests/integration/test-data/template-injection/addnab-docker-run-action.yml

@@ -0,0 +1,27 @@
+# testcases for addnab/docker-run-action
+
+name: test-addnab-docker-run-action
+on: [push]
+
+permissions: {}
+
+jobs:
+  some-job:
+    name: some-job
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: injection-in-run
+        uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185
+        with:
+          image: ubuntu:latest
+          options: --rm
+          run: |
+            echo "The current branch is ${{ github.ref }}"
+
+      - name: injection-in-options
+        uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185
+        with:
+          image: ubuntu:latest
+          options: ${{ github.ref }}
+          run: echo "lol"