Fix help[template-injection]: code injection via template expansion

Author: hugovk

.github/workflows/build.yml

@@ -418,7 +418,7 @@ jobs:
         #
         # (GH-104097) test_sysconfig is skipped because it has tests that are
         # failing when executed from inside a virtual environment.
-        ${{ env.VENV_PYTHON }} -m test \
+        "${VENV_PYTHON}" -m test \
           -W \
           -o \
           -j4 \

.github/workflows/reusable-docs.yml

@@ -41,15 +41,15 @@ jobs:
       if: github.event_name == 'pull_request'
       run: |
         # Fetch enough history to find a common ancestor commit (aka merge-base):
-        git fetch origin ${{ env.refspec_pr }} --depth=$(( ${{ env.commits }} + 1 )) \
+        git fetch origin "${refspec_pr}" --depth=$(( commits + 1 )) \
           --no-tags --prune --no-recurse-submodules
 
         # This should get the oldest commit in the local fetched history (which may not be the commit the PR branched from):
-        COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 ${{ env.branch_pr }} )
+        COMMON_ANCESTOR=$( git rev-list --first-parent --max-parents=0 --max-count=1 "${branch_pr}" )
         DATE=$( git log --date=iso8601 --format=%cd "${COMMON_ANCESTOR}" )
 
         # Get all commits since that commit date from the base branch (eg: master or main):
-        git fetch origin ${{ env.refspec_base }} --shallow-since="${DATE}" \
+        git fetch origin "${refspec_base}" --shallow-since="${DATE}" \
           --no-tags --prune --no-recurse-submodules
     - name: 'Set up Python'
       uses: actions/setup-python@v5
@@ -71,7 +71,7 @@ jobs:
       if: github.event_name == 'pull_request'
       run: |
         python Doc/tools/check-warnings.py \
-          --annotate-diff '${{ env.branch_base }}' '${{ env.branch_pr }}' \
+          --annotate-diff "${branch_base}" "${branch_pr}" \
           --fail-if-regression \
           --fail-if-improved \
           --fail-if-new-news-nit

.github/workflows/reusable-tsan.yml

@@ -52,7 +52,7 @@ jobs:
         sudo sysctl -w vm.mmap_rnd_bits=28
     - name: TSAN Option Setup
       run: |
-        echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${{ env.SUPPRESSIONS_PATH }} handle_segv=0" >> "$GITHUB_ENV"
+        echo "TSAN_OPTIONS=log_path=${GITHUB_WORKSPACE}/tsan_log suppressions=${GITHUB_WORKSPACE}/${SUPPRESSIONS_PATH} handle_segv=0" >> "$GITHUB_ENV"
         echo "CC=clang" >> "$GITHUB_ENV"
         echo "CXX=clang++" >> "$GITHUB_ENV"
     - name: Add ccache to PATH
@@ -64,7 +64,7 @@ jobs:
         save: ${{ github.event_name == 'push' }}
         max-size: "200M"
     - name: Configure CPython
-      run: ${{ env.OPTIONS }}
+      run: "${OPTIONS}"
     - name: Build CPython
       run: make -j4
     - name: Display build info

.github/workflows/reusable-ubuntu.yml

@@ -96,7 +96,7 @@ jobs:
       if: ${{ !inputs.free-threading }}
       run: >-
         python Tools/build/check_warnings.py
-        --compiler-output-file-path=${{ env.CPYTHON_BUILDDIR }}/compiler_output_ubuntu.txt
+        --compiler-output-file-path="${CPYTHON_BUILDDIR}/compiler_output_ubuntu.txt"
         --warning-ignore-file-path "${GITHUB_WORKSPACE}/Tools/build/.warningignore_ubuntu"
         --compiler-output-type=gcc
         --fail-on-regression

.github/workflows/reusable-wasi.yml

@@ -36,9 +36,9 @@ jobs:
     - name: "Install WASI SDK"  # Hard-coded to x64.
       if: steps.cache-wasi-sdk.outputs.cache-hit != 'true'
       run: |
-        mkdir ${{ env.WASI_SDK_PATH }} && \
-        curl -s -S --location https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${{ env.WASI_SDK_VERSION }}/wasi-sdk-${{ env.WASI_SDK_VERSION }}.0-x86_64-linux.tar.gz | \
-        tar --strip-components 1 --directory ${{ env.WASI_SDK_PATH }} --extract --gunzip
+        mkdir "${WASI_SDK_PATH}" && \
+        curl -s -S --location "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VERSION}/wasi-sdk-${WASI_SDK_VERSION}.0-x86_64-linux.tar.gz" | \
+        tar --strip-components 1 --directory "${WASI_SDK_PATH}" --extract --gunzip
     - name: "Configure ccache action"
       uses: hendrikmuhs/[email protected]
       with:
@@ -74,6 +74,6 @@ jobs:
     - name: "Make host"
       run: python3 Tools/wasm/wasi.py make-host
     - name: "Display build info"
-      run: make --directory ${{ env.CROSS_BUILD_WASI }} pythoninfo
+      run: make --directory "${CROSS_BUILD_WASI}" pythoninfo
     - name: "Test"
-      run: make --directory ${{ env.CROSS_BUILD_WASI }} test
+      run: make --directory "${CROSS_BUILD_WASI}" test

.github/workflows/reusable-windows-msi.yml

@@ -24,4 +24,4 @@ jobs:
       with:
         persist-credentials: false
     - name: Build CPython installer
-      run: .\Tools\msi\build.bat --doc -${{ env.ARCH }}
+      run: .\Tools\msi\build.bat --doc -"${ARCH}"

.github/workflows/reusable-windows.yml

@@ -39,7 +39,7 @@ jobs:
       run: >-
         .\\PCbuild\\build.bat
         -e -d -v
-        -p ${{ env.ARCH }}
+        -p "${ARCH}"
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
     - name: Display build info  # FIXME(diegorusso): remove the `if`
       if: inputs.arch != 'arm64'
@@ -48,6 +48,6 @@ jobs:
       if: inputs.arch != 'arm64'
       run: >-
         .\\PCbuild\\rt.bat
-        -p ${{ env.ARCH }}
+        -p "${ARCH}"
         -d -q --fast-ci
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}

.pre-commit-config.yaml

@@ -65,7 +65,6 @@ repos:
     rev: v0.8.0
     hooks:
       - id: zizmor
-        args: [--min-severity=medium]
 
   - repo: https://github.com/sphinx-contrib/sphinx-lint
     rev: v1.0.0