update pattern matching & add test cases

Author: shubham-stepsecurity

remediation/workflow/pin/pinactions.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -16,11 +17,6 @@ import (
 func PinActions(inputYaml string, exemptedActions []string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
-	exemptedActionsMap := make(map[string]bool)
-	for _, exemptedAction := range exemptedActions {
-		exemptedAction = strings.TrimRight(exemptedAction, "/")
-		exemptedActionsMap[exemptedAction] = true
-	}
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
 	if err != nil {
 		return inputYaml, updated, fmt.Errorf("unable to parse yaml %v", err)
@@ -33,7 +29,7 @@ func PinActions(inputYaml string, exemptedActions []string) (string, bool, error
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = PinAction(step.Uses, out, exemptedActionsMap)
+				out, localUpdated = PinAction(step.Uses, out, exemptedActions)
 				updated = updated || localUpdated
 			}
 		}
@@ -42,7 +38,7 @@ func PinActions(inputYaml string, exemptedActions []string) (string, bool, error
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActionsMap map[string]bool) (string, bool) {
+func PinAction(action, inputYaml string, exemptedActions []string) (string, bool) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -56,7 +52,7 @@ func PinAction(action, inputYaml string, exemptedActionsMap map[string]bool) (st
 	tagOrBranch := leftOfAt[1]
 
 	// skip pinning for exempted actions
-	if exemptedActionsMap[leftOfAt[0]] {
+	if actionExists(leftOfAt[0], exemptedActions) {
 		return inputYaml, updated
 	}
 
@@ -198,3 +194,20 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
 	}
 	return tagOrBranch, nil
 }
+
+// Function to check if an action matches any pattern in the list
+func actionExists(actionName string, patterns []string) bool {
+	for _, pattern := range patterns {
+		// Use filepath.Match to match the pattern
+		matched, err := filepath.Match(pattern, actionName)
+		if err != nil {
+			// Handle invalid patterns
+			fmt.Printf("Error matching pattern: %v\n", err)
+			continue
+		}
+		if matched {
+			return true
+		}
+	}
+	return false
+}

remediation/workflow/pin/pinactions_test.go

@@ -263,8 +263,9 @@ func TestPinActions(t *testing.T) {
 		})
 
 	tests := []struct {
-		fileName    string
-		wantUpdated bool
+		fileName        string
+		wantUpdated     bool
+		exemptedActions []string
 	}{
 		{fileName: "alreadypinned.yml", wantUpdated: false},
 		{fileName: "branch.yml", wantUpdated: true},
@@ -276,6 +277,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "actionwithcomment.yml", wantUpdated: true},
 		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true},
 		{fileName: "immutableaction-1.yml", wantUpdated: true},
+		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}},
 	}
 	for _, tt := range tests {
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))
@@ -284,7 +286,7 @@ func TestPinActions(t *testing.T) {
 			log.Fatal(err)
 		}
 
-		output, gotUpdated, err := PinActions(string(input), nil)
+		output, gotUpdated, err := PinActions(string(input), tt.exemptedActions)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}

testfiles/pinactions/input/exemptaction.yml

@@ -0,0 +1,44 @@
+name: publish to nuget
+on:
+  push:
+    branches:
+      - master # Default release branch
+jobs:
+  publish:
+    name: build, pack & publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+
+      # - name: Setup dotnet
+      #   uses: actions/setup-dotnet@v1
+      #   with:
+      #     dotnet-version: 3.1.200
+
+      # Publish
+      - name: publish on version change
+        id: publish_nuget
+        uses: brandedoutcast/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+  publish1:
+    name: build, pack & publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+
+      # - name: Setup dotnet
+      #   uses: actions/setup-dotnet@v1
+      #   with:
+      #     dotnet-version: 3.1.200
+
+      # Publish
+      - name: publish on version change
+        id: publish_nuget
+        uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json

testfiles/pinactions/output/exemptaction.yml

@@ -0,0 +1,44 @@
+name: publish to nuget
+on:
+  push:
+    branches:
+      - master # Default release branch
+jobs:
+  publish:
+    name: build, pack & publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+
+      # - name: Setup dotnet
+      #   uses: actions/setup-dotnet@v1
+      #   with:
+      #     dotnet-version: 3.1.200
+
+      # Publish
+      - name: publish on version change
+        id: publish_nuget
+        uses: brandedoutcast/publish-nuget@c12b8546b67672ee38ac87bea491ac94a587f7cc # v2.5.5
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+  publish1:
+    name: build, pack & publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+
+      # - name: Setup dotnet
+      #   uses: actions/setup-dotnet@v1
+      #   with:
+      #     dotnet-version: 3.1.200
+
+      # Publish
+      - name: publish on version change
+        id: publish_nuget
+        uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json