Techly NewsGet the app

Get the latest tech news

Fun with Finite State Transducers


Aug 14, 2025 Tags: devblog, programming, rust, zizmor I recently1 solved an interesting problem inside zizmor with a type of state machine/automaton I hadn’t used before: a finite state transducer (FST). This is just a quick write-up of the problem and how I solved it.

This ended up being an order of magnitude smaller in terms of representation (~14.5KB instead of ~240 KB) and faster and more memory efficient than my naïve initial approaches (tables and prefix trie walks). If this step is part of a workflow that grants elevated privileges to third parties (like pull_request_target), and attacker can contrive a git ref that escapes the shell quoting and runs arbitrary code. ${{ github.event.pull_request.merged }} is populated by GitHub’s backend and can only expand to true or false, but requires us to know a priori that it’s a “safe” context;${{ github.actor }} is an arbitrary string, but is limited in structure to characters that make it infeasible to perform a useful injection with (no semicolons,$, &c.).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of Fun

Fun

Related news:

News photo

Discover Baseus' bendable magnetic car mounts where fun meets functionality

News photo

Google Makes Fun of Apple Intelligence Siri Delay in Ad Promoting Pixel 10

News photo

Review: The Samsung Galaxy Z Flip 7 foldable is almost too much fun

« Google admits anti-competitive conduct involving Google Search in Australia
Lego Transformers Soundwave »