Skip to content

Commit 0f82786

Browse files
varunsh-codervarunsh-coder
authored
Merge pull request #2553 from vamshi-stepsecurity/fix/wild-card-for-actions
Fix/wild card for actions
2 parents bbbbe1e + d1cf9aa commit 0f82786

File tree

8 files changed

+147
-5
lines changed

8 files changed

+147
-5
lines changed

remediation/workflow/pin/pinactions.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ import (
55
"fmt"
66
"log"
77
"os"
8-
"path/filepath"
98
"regexp"
109
"strings"
1110

@@ -261,8 +260,15 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
261260
// Function to check if an action matches any pattern in the list
262261
func ActionExists(actionName string, patterns []string) bool {
263262
for _, pattern := range patterns {
264-
// Use filepath.Match to match the pattern
265-
matched, err := filepath.Match(pattern, actionName)
263+
// Convert glob pattern to regex for path matching
264+
// Replace * with [^/]* to match within a path segment
265+
// Replace **/ with .* to match across path segments
266+
regexPattern := strings.ReplaceAll(pattern, "**", "§§")
267+
regexPattern = strings.ReplaceAll(regexPattern, "*", "[^/]*")
268+
regexPattern = strings.ReplaceAll(regexPattern, "§§", ".*")
269+
regexPattern = "^" + regexPattern + "($|/)"
270+
271+
matched, err := regexp.MatchString(regexPattern, actionName)
266272
if err != nil {
267273
// Handle invalid patterns
268274
fmt.Printf("Error matching pattern: %v\n", err)

remediation/workflow/pin/pinactions_test.go

Lines changed: 50 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,21 @@ func TestPinActions(t *testing.T) {
3333
}
3434
]`))
3535

36+
httpmock.RegisterResponder("GET", "https://api.github.com/repos/evans/shield/commits/v1",
37+
httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd`))
38+
39+
httpmock.RegisterResponder("GET", "https://api.github.com/repos/evans/shield/git/matching-refs/tags/v1.",
40+
httpmock.NewStringResponder(200,
41+
`[
42+
{
43+
"ref": "refs/tags/v1.0.3",
44+
"object": {
45+
"sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd",
46+
"type": "commit"
47+
}
48+
}
49+
]`))
50+
3651
httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/master",
3752
httpmock.NewStringResponder(200, `61b9e3751b92087fd0b06925ba6dd6314e06f089`))
3853

@@ -308,10 +323,9 @@ func TestPinActions(t *testing.T) {
308323
{fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
309324
{fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
310325
{fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true},
311-
{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},
326+
{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*", "starc/*"}, pinToImmutable: true},
312327
{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
313328
{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
314-
{fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true},
315329
}
316330
for _, tt := range tests {
317331

@@ -330,6 +344,7 @@ func TestPinActions(t *testing.T) {
330344
actionCommitMap = map[string]string{
331345
"peter-evans-test/close-issue@v1": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam",
332346
"peter-check/[email protected]": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom",
347+
"evans/shield-test/@v1.2.5": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53cat",
333348
}
334349
}
335350

@@ -374,3 +389,36 @@ func Test_isAbsolute(t *testing.T) {
374389
})
375390
}
376391
}
392+
393+
func TestActionExists(t *testing.T) {
394+
result := ActionExists("actions/checkout", []string{"actions/checkout"})
395+
t.Log(result)
396+
if !result {
397+
t.Errorf("ActionExists returned false for actions/checkout")
398+
}
399+
400+
result = ActionExists("actions/checkout", []string{"actions/*"})
401+
t.Log(result)
402+
if !result {
403+
t.Errorf("ActionExists returned false for actions/checkout")
404+
}
405+
406+
result = ActionExists("actions/checkout/something", []string{"actions/*"})
407+
t.Log(result)
408+
if !result {
409+
t.Errorf("ActionExists returned true for actions/checkout/something")
410+
}
411+
412+
result = ActionExists("step-security/checkout/something", []string{"step-*/*"})
413+
t.Log(result)
414+
if !result {
415+
t.Errorf("ActionExists returned true for actions/checkout/something")
416+
}
417+
418+
result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"})
419+
t.Log(result)
420+
if !result {
421+
t.Errorf("ActionExists returned true for actions/checkout/something")
422+
}
423+
424+
}

testfiles/pinactions/input/basic.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,12 @@ jobs:
1111
steps:
1212
- name: Close Issue
1313
uses: peter-evans/close-issue@v1
14+
with:
15+
issue-number: 1
16+
comment: Auto-closing issue
17+
18+
- name: test case
19+
uses: evans/shield/@v1
1420
with:
1521
issue-number: 1
1622
comment: Auto-closing issue

testfiles/pinactions/input/exemptaction.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,38 @@ jobs:
3838
- name: publish on version change
3939
id: publish_nuget
4040
uses: rohith/publish-nuget@v2
41+
with:
42+
PROJECT_FILE_PATH: Core/Core.csproj
43+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
44+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
45+
46+
- name: publish on version change 2
47+
id: publish_nuget
48+
uses: praveen/publish-nuget/to-version@v2
49+
with:
50+
PROJECT_FILE_PATH: Core/Core.csproj
51+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
52+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
53+
54+
- name: publish on version change 3
55+
id: publish_nuget
56+
uses: aman-action/move/to-main@v2
57+
with:
58+
PROJECT_FILE_PATH: Core/Core.csproj
59+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
60+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
61+
62+
- name: publish on version change 2
63+
id: publish_nuget
64+
uses: smith/seperate/from-version@v2
65+
with:
66+
PROJECT_FILE_PATH: Core/Core.csproj
67+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
68+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
69+
70+
- name: publish on version change 2
71+
id: publish_nuget
72+
uses: starc/swing/from-version/@v2
4173
with:
4274
PROJECT_FILE_PATH: Core/Core.csproj
4375
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}

testfiles/pinactions/input/pinusingmap.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,12 @@ jobs:
2323

2424
- name: Close Issue
2525
uses: peter-check/[email protected]
26+
with:
27+
issue-number: 1
28+
comment: Auto-closing issue
29+
30+
- name: test case
31+
uses: evans/shield-test/@v1.2.5
2632
with:
2733
issue-number: 1
2834
comment: Auto-closing issue

testfiles/pinactions/output/basic.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,12 @@ jobs:
1111
steps:
1212
- name: Close Issue
1313
uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
14+
with:
15+
issue-number: 1
16+
comment: Auto-closing issue
17+
18+
- name: test case
19+
uses: evans/shield/@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbd # v1.0.3
1420
with:
1521
issue-number: 1
1622
comment: Auto-closing issue

testfiles/pinactions/output/exemptaction.yml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,38 @@ jobs:
3838
- name: publish on version change
3939
id: publish_nuget
4040
uses: rohith/publish-nuget@v2
41+
with:
42+
PROJECT_FILE_PATH: Core/Core.csproj
43+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
44+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
45+
46+
- name: publish on version change 2
47+
id: publish_nuget
48+
uses: praveen/publish-nuget/to-version@v2
49+
with:
50+
PROJECT_FILE_PATH: Core/Core.csproj
51+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
52+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
53+
54+
- name: publish on version change 3
55+
id: publish_nuget
56+
uses: aman-action/move/to-main@v2
57+
with:
58+
PROJECT_FILE_PATH: Core/Core.csproj
59+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
60+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
61+
62+
- name: publish on version change 2
63+
id: publish_nuget
64+
uses: smith/seperate/from-version@v2
65+
with:
66+
PROJECT_FILE_PATH: Core/Core.csproj
67+
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
68+
NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
69+
70+
- name: publish on version change 2
71+
id: publish_nuget
72+
uses: starc/swing/from-version/@v2
4173
with:
4274
PROJECT_FILE_PATH: Core/Core.csproj
4375
NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}

testfiles/pinactions/output/pinusingmap.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,12 @@ jobs:
2323

2424
- name: Close Issue
2525
uses: peter-check/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53tom # v1.2.3
26+
with:
27+
issue-number: 1
28+
comment: Auto-closing issue
29+
30+
- name: test case
31+
uses: evans/shield-test/@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53cat # v1.2.5
2632
with:
2733
issue-number: 1
2834
comment: Auto-closing issue

0 commit comments

Comments
 (0)