fix: preserve env var case in template injection fixes (#1766)

* fix: preserve env var case in template injection fixes

`context_to_env_var()` unconditionally uppercased all generated
env var names. For `env.*` contexts this changes the variable name
(e.g. `env.build_tag` → `BUILD_TAG`), silently breaking workflows
on Linux where env vars are case-sensitive.

Only uppercase for non-env contexts, where we're creating new
variable names. For env contexts, preserve the original casing.

Fixes #1765

* Record changes

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: William Woodruff <[email protected]>

Author: gcl-sekoia

crates/zizmor/src/audit/template_injection.rs

@@ -216,7 +216,8 @@ impl TemplateInjection {
         // TODO: We could probably go a step further here and avoid the
         // loop below entirely, since we expect `env` contexts to only
         // have a single part, i.e. `foo.bar` and never `foo.bar.baz`.
-        if ctx.child_of("env") {
+        let is_env_context = ctx.child_of("env");
+        if is_env_context {
             ctx_parts.next();
         }
 
@@ -271,7 +272,16 @@ impl TemplateInjection {
             }
         }
 
-        Some(env_parts.join("_").to_uppercase())
+        let env_var = env_parts.join("_");
+
+        // For `env` contexts, preserve the original case since these refer
+        // to existing environment variables. GitHub recommends treating
+        // environment variables as case sensitive.
+        if is_env_context {
+            Some(env_var)
+        } else {
+            Some(env_var.to_uppercase())
+        }
     }
 
     /// Attempts to produce a `Fix` for a given expression.
@@ -1059,7 +1069,7 @@ jobs:
                           echo "User: ${GITHUB_ACTOR}"
                           echo "User: ${GITHUB_ACTOR}"
                           echo "User: ${GITHUB_ACTOR}"
-                          echo "User: ${GITHUB_ACTOR}"
+                          echo "User: ${github_actor}"
                 "#);
             }
         );
@@ -1173,11 +1183,11 @@ jobs:
             // Computed indices not supported
             ("foo.bar[computed]", None),
             ("foo.bar[abc && def]", None),
-            // env contexts should have the env prefix removed
+            // env contexts should have the env prefix removed and preserve case
             ("env.FOO_BAR", Some("FOO_BAR")),
-            ("env.foo_bar", Some("FOO_BAR")),
-            ("ENV.foo_bar", Some("FOO_BAR")),
-            ("ENV['foo_bar']", Some("FOO_BAR")),
+            ("env.foo_bar", Some("foo_bar")),
+            ("ENV.foo_bar", Some("foo_bar")),
+            ("ENV['foo_bar']", Some("foo_bar")),
             ("env.GITHUB_ACTOR", Some("GITHUB_ACTOR")),
             // FIXME: soundness hole
             (

docs/release-notes.md

@@ -28,6 +28,9 @@ of `zizmor`.
 * The [dependabot-cooldown] audit no longer flags missing cooldowns for
   the `pre-commit` ecosystem, which does not support cooldown configuration (#1758)
 
+* Fixed a bug where auto-fixes for the [template-injection] audit would fail
+  to preserve an environment variable's casing (#1766)
+
 ## 1.23.1
 
 ### Bug Fixes 🐛