ci: verify more

This downloads Process Monitor and verifies that the installer does not
try to access any other files that are in the same directory as the
installer. This is necessary to ensure that InnoSetup is not susceptible
to DLL hijacking/side-loading attacks.

Signed-off-by: Johannes Schindelin <[email protected]>

.github/workflows/build.yml

@@ -110,6 +110,37 @@ jobs:
           ver="$(sed -n 's/^set VER=//p' <build.bat)" &&
           mt '-inputresource:Output\innosetup-'$ver.exe -out:innosetup-$ver.manifest &&
           cat innosetup-$ver.manifest &&
+          mkdir -p trace &&
+          echo "$ver" >trace/ver &&
+          curl -LO https://download.sysinternals.com/files/ProcessMonitor.zip &&
+          unzip ProcessMonitor.zip &&
+          # Need to start the background process via PowerShell because it would
+          # block for some reason if started as a Bash background process.
+          powershell -command 'start-process -NoNewWindow -FilePath .\Procmon.exe -ArgumentList "-AcceptEula -Quiet -BackingFile trace/procmon.pml -RunTime 60"' &&
+          test $? = 0 &&
+          ps -W &&
+          ./Procmon.exe -AcceptEula -WaitForIdle &&
           ./Output/innosetup-$ver.exe //verysilent //dir=InnoSetup //noicons \
             //tasks= //portable=1 &&
-          test -x InnoSetup/ISCC.exe
+          test -x InnoSetup/ISCC.exe &&
+          ./Procmon.exe -Terminate -Quiet &&
+          powershell -command 'start-process -NoNewWindow -Wait -FilePath .\Procmon.exe -ArgumentList "-OpenLog trace\procmon.pml -SaveAs trace\procmon.csv"'
+      - name: upload trace
+        uses: actions/upload-artifact@v3
+        with:
+          name: trace
+          path: trace
+      - name: check trace
+        shell: bash
+        run: |
+          set -x &&
+          curdir="$(cygpath -aw Output | sed 's/\\/&&/g')" &&
+          ver="$(sed 's/\./\\&/g' <trace/ver)" &&
+          sed -ne '/"'$curdir'\\innosetup-'$ver'\.\(exe\|exe\.Config\|en-US\|en\|ENU\|EN\)"/d' -e '/"'$curdir'\\/p' \
+            trace/procmon.csv >trace/filtered.csv &&
+          if test -s trace/filtered.csv
+          then
+            echo ":error:Unexpected filesystem access" >&2
+            cat trace/filtered.csv >&2
+            exit 1
+          fi