updating pinnig logic to use immutable version instead of hash

Author: sailikhith-stepsecurity

remediation/workflow/pin/action_image_manifest.go

@@ -6,14 +6,16 @@ import (
 	"regexp"
 	"strings"
 
+	"net/http"
+
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 	"github.com/sirupsen/logrus"
 )
 
 var (
 	githubImmutableActionArtifactType = "application/vnd.github.actions.package.v1+json"
-	tagRegex                          = regexp.MustCompile(`v[0-9]+\.[0-9]+\.[0-9]+$`)
+	semanticTagRegex                  = regexp.MustCompile(`v[0-9]+\.[0-9]+\.[0-9]+$`)
 )
 
 type ociManifest struct {
@@ -71,7 +73,7 @@ func getOCIImageArtifactTypeForGhAction(action string) (string, error) {
 	// use regexp to match tag version format and replace v in prefix
 	// as immutable actions image tag is in format 1.x.x (without v prefix)
 	// REF - https://github.com/actions/publish-immutable-action/issues/216#issuecomment-2549914784
-	if tagRegex.MatchString(parts[1]) {
+	if semanticTagRegex.MatchString(parts[1]) {
 		// v1.x.x -> 1.x.x
 		parts[1] = strings.TrimPrefix(parts[1], "v")
 	}
@@ -101,7 +103,7 @@ func getOCIManifestForImage(imageRef string) (string, error) {
 	}
 
 	// Get the image manifest
-	desc, err := remote.Get(ref)
+	desc, err := remote.Get(ref, remote.WithTransport(http.DefaultTransport))
 	if err != nil {
 		return "", fmt.Errorf("error getting manifest: %v", err)
 	}

remediation/workflow/pin/action_image_manifest_test.go

@@ -1,26 +1,45 @@
 package pin
 
 import (
+	"crypto/tls"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
-	"net/url"
+	"path/filepath"
 	"strings"
 	"testing"
 )
 
-var (
-	testFilesDir = "../../../testfiles/pinactions/immutableActionResponses/"
-)
+type customTransport struct {
+	base    http.RoundTripper
+	baseURL string
+}
+
+func (t *customTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if strings.Contains(req.URL.Host, "ghcr.io") {
+		req2 := req.Clone(req.Context())
+		req2.URL.Scheme = "https"
+		req2.URL.Host = strings.TrimPrefix(t.baseURL, "https://")
+		return t.base.RoundTrip(req2)
+	}
+	return t.base.RoundTrip(req)
+}
 
-func createTestServer(t *testing.T) *httptest.Server {
-	return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+func createGhesTestServer(t *testing.T) *httptest.Server {
+	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 
 		w.Header().Set("Content-Type", "application/json")
 
+		if !strings.Contains(r.Host, "ghcr.io") {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
 		// Mock manifest endpoints
 		switch r.URL.Path {
 
+		case "/v2/": // simulate ping request
+			w.WriteHeader(http.StatusOK)
+
 		case "/token":
 			// for immutable actions, since image will be present in registry...it returns 200 OK with token
 			// otherwise it returns 403 Forbidden
@@ -29,6 +48,7 @@ func createTestServer(t *testing.T) *httptest.Server {
 			case "repository:actions/checkout:pull":
 				fallthrough
 			case "repository:step-security/wait-for-secrets:pull":
+
 				w.WriteHeader(http.StatusOK)
 				w.Write([]byte(`{"token": "test-token", "access_token": "test-token"}`))
 			default:
@@ -38,6 +58,8 @@ func createTestServer(t *testing.T) *httptest.Server {
 
 		case "/v2/actions/checkout/manifests/4.2.2":
 			fallthrough
+		case "/v2/actions/checkout/manifests/1.2.0":
+			fallthrough
 		case "/v2/step-security/wait-for-secrets/manifests/1.2.0":
 			w.Write(readHttpResponseForAction(t, r.URL.Path))
 		case "/v2/actions/checkout/manifests/1.2.3": // since this version doesn't exist
@@ -51,23 +73,29 @@ func createTestServer(t *testing.T) *httptest.Server {
 
 func Test_isImmutableAction(t *testing.T) {
 	// Create test server that mocks GitHub Container Registry
-	server := createTestServer(t)
+	server := createGhesTestServer(t)
 	defer server.Close()
 
 	// Create a custom client that redirects ghcr.io to our test server
 	originalClient := http.DefaultClient
 	http.DefaultClient = &http.Client{
-		Transport: &http.Transport{
-			Proxy: func(req *http.Request) (*url.URL, error) {
-				if strings.Contains(req.URL.Host, "ghcr.io") {
-					return url.Parse(server.URL)
-				}
-				return nil, nil
+		Transport: &customTransport{
+			base: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+				},
 			},
+			baseURL: server.URL,
 		},
 	}
+
+	// update default transport
+	OriginalTransport := http.DefaultTransport
+	http.DefaultTransport = http.DefaultClient.Transport
+
 	defer func() {
 		http.DefaultClient = originalClient
+		http.DefaultTransport = OriginalTransport
 	}()
 
 	tests := []struct {
@@ -120,14 +148,15 @@ func Test_isImmutableAction(t *testing.T) {
 
 func readHttpResponseForAction(t *testing.T, actionPath string) []byte {
 	// remove v2 prefix from action path
-	actionPath = strings.TrimPrefix(actionPath, "v2/")
+	actionPath = strings.TrimPrefix(actionPath, "/v2/")
 
-	fileName := strings.ReplaceAll(actionPath, "/", "-")
-	respFilePath := testFilesDir + fileName
+	fileName := strings.ReplaceAll(actionPath, "/", "-") + ".json"
+	testFilesDir := "../../../testfiles/pinactions/immutableActionResponses/"
+	respFilePath := filepath.Join(testFilesDir, fileName)
 
 	resp, err := ioutil.ReadFile(respFilePath)
 	if err != nil {
-		t.Fatalf("error reading test file")
+		t.Fatalf("error reading test file:%v", err)
 	}
 
 	return resp

remediation/workflow/pin/pinactions.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 
 	"github.com/google/go-github/v40/github"
@@ -74,8 +75,32 @@ func PinAction(action, inputYaml string) (string, bool) {
 	}
 
 	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
+
+	// if the action with version is immutable, then pin the action with version instead of sha
+	pinnedActionWithVersion := fmt.Sprintf("%s@%s", leftOfAt[0], tagOrBranch)
+	if semanticTagRegex.MatchString(tagOrBranch) && IsImmutableAction(pinnedActionWithVersion) {
+		pinnedAction = pinnedActionWithVersion
+	}
+
 	updated = !strings.EqualFold(action, pinnedAction)
-	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
+
+	// strings.ReplaceAll is not suitable here because it would incorrectly replace substrings
+	// For example, if we want to replace "actions/checkout@v1" to "actions/[email protected]", it would also incorrectly match and replace in "actions/[email protected]"
+	// making new string to "actions/[email protected]"
+	//
+	// Instead, we use a regex pattern that ensures we only replace complete action references:
+	// Pattern: (<action>@<version>)($|\s|"|')
+	// - Group 1 (<action>@<version>): Captures the exact action reference
+	// - Group 2 ($|\s|"|'): Captures the delimiter that follows (end of line, whitespace, or quotes)
+	//
+	// Examples:
+	// - "actions/[email protected]" - No match (no delimiter after v1)
+	// - "actions/checkout@v1 "    - Matches (space delimiter)
+	// - "actions/checkout@v1""    - Matches (quote delimiter)
+	// - "actions/checkout@v1"     - Matches (quote delimiter)
+	// - "actions/checkout@v1\n"   - Matches (newline is considered whitespace \s)
+	actionRegex := regexp.MustCompile(`(` + regexp.QuoteMeta(action) + `)($|\s|"|')`)
+	inputYaml = actionRegex.ReplaceAllString(inputYaml, pinnedAction+"$2")
 	yamlWithPreviousActionCommentsRemoved, wasModified := removePreviousActionComments(pinnedAction, inputYaml)
 	if wasModified {
 		return yamlWithPreviousActionCommentsRemoved, updated

remediation/workflow/pin/pinactions_test.go

@@ -3,7 +3,9 @@ package pin
 import (
 	"io/ioutil"
 	"log"
+	"net/http"
 	"path"
+	"strings"
 	"testing"
 
 	"github.com/jarcoal/httpmock"
@@ -171,6 +173,78 @@ func TestPinActions(t *testing.T) {
 				  }
 			]`))
 
+	// mock ping response
+	httpmock.RegisterResponder("GET", "https://ghcr.io/v2/",
+		httpmock.NewStringResponder(200, ``))
+
+	// Mock token endpoints
+	httpmock.RegisterResponder("GET", "https://ghcr.io/token",
+		func(req *http.Request) (*http.Response, error) {
+			scope := req.URL.Query().Get("scope")
+			switch scope {
+			// Following are the ones which simulate the image existance in ghcr
+			case "repository:actions/checkout:pull",
+				"repository:step-security/wait-for-secrets:pull",
+				"repository:actions/setup-node:pull",
+				"repository:peter-evans/close-issue:pull",
+				"repository:borales/actions-yarn:pull",
+				"repository:JS-DevTools/npm-publish:pull",
+				"repository:elgohr/Publish-Docker-Github-Action:pull",
+				"repository:brandedoutcast/publish-nuget:pull",
+				"repository:rohith/publish-nuget:pull":
+				return httpmock.NewJsonResponse(http.StatusOK, map[string]string{
+					"token":        "test-token",
+					"access_token": "test-token",
+				})
+			default:
+				return httpmock.NewJsonResponse(http.StatusForbidden, map[string]interface{}{
+					"errors": []map[string]string{
+						{
+							"code":    "DENIED",
+							"message": "requested access to the resource is denied",
+						},
+					},
+				})
+			}
+		})
+
+	// Mock manifest endpoints for specific versions and commit hashes
+	manifestResponders := []string{
+		// the following list will contain the list of actions with versions
+		// which are mocked to be immutable
+		"actions/[email protected]",
+	}
+
+	for _, action := range manifestResponders {
+		actionPath := strings.Split(action, "@")[0]
+		version := strings.TrimPrefix(strings.Split(action, "@")[1], "v")
+		// Mock manifest response so that we can treat action as immutable
+		httpmock.RegisterResponder("GET", "https://ghcr.io/v2/"+actionPath+"/manifests/"+version,
+			func(req *http.Request) (*http.Response, error) {
+				return httpmock.NewJsonResponse(http.StatusOK, map[string]interface{}{
+					"schemaVersion": 2,
+					"mediaType":     "application/vnd.github.actions.package.v1+json",
+					"artifactType":  "application/vnd.github.actions.package.v1+json",
+					"config": map[string]interface{}{
+						"mediaType": "application/vnd.github.actions.package.v1+json",
+					},
+				})
+			})
+	}
+
+	// Default manifest response for non-existent tags
+	httpmock.RegisterResponder("GET", `=~^https://ghcr\.io/v2/.*/manifests/.*`,
+		func(req *http.Request) (*http.Response, error) {
+			return httpmock.NewJsonResponse(http.StatusNotFound, map[string]interface{}{
+				"errors": []map[string]string{
+					{
+						"code":    "MANIFEST_UNKNOWN",
+						"message": "manifest unknown",
+					},
+				},
+			})
+		})
+
 	tests := []struct {
 		fileName    string
 		wantUpdated bool
@@ -184,6 +258,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "multipleactions.yml", wantUpdated: true},
 		{fileName: "actionwithcomment.yml", wantUpdated: true},
 		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true},
+		{fileName: "immutableaction-1.yml", wantUpdated: true},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))

testfiles/pinactions/immutableActionResponses/ghcr.io_actions_checkout:4.2.2.json renamed to testfiles/pinactions/immutableActionResponses/actions-checkout-manifests-4.2.2.json

@@ -0,0 +1,11 @@
+name: Integration Test Github
+on: [push]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - uses: borales/[email protected]
+      with:
+        auth-token: ${{ secrets.GITHUB_TOKEN }}
+        registry-url: npm.pkg.github.com

testfiles/pinactions/immutableActionResponses/ghcr.io_step-security_wait-for-secrets:1.2.0.json renamed to testfiles/pinactions/immutableActionResponses/step-security-wait-for-secrets-manifests-1.2.0.json

@@ -16,7 +16,7 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
+      - uses: actions/[email protected]
       - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
         with:
           node-version: 10

testfiles/pinactions/input/immutableaction-1.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
+      uses: actions/[email protected]
     - name: Integration test
       uses: docker://ghcr.io/step-security/integration-test/int:latest
       env:

testfiles/pinactions/output/actionwithcomment.yml

@@ -0,0 +1,11 @@
+name: Integration Test Github
+on: [push]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9 # v2.3.0
+      with:
+        auth-token: ${{ secrets.GITHUB_TOKEN }}
+        registry-url: npm.pkg.github.com