Merge pull request ossf#2 from joycebrum/test/initial-tests-for-dw-fix

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>

probes/hasDangerousWorkflowScriptInjection/impl.go

@@ -63,8 +63,8 @@ func Run(raw *checker.RawResults) ([]finding.Finding, string, error) {
 				LineStart: &e.File.Offset,
 				Snippet:   &e.File.Snippet,
 			})
-			patch := patch.GeneratePatch(e.File)
-			f.WithPatch(&patch)
+			findingPatch := patch.GeneratePatch(e.File)
+			f.WithPatch(&findingPatch)
 			findings = append(findings, *f)
 		}
 	}

probes/hasDangerousWorkflowScriptInjection/patch/impl.go

@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	"github.com/google/go-cmp/cmp"
+
 	"github.com/ossf/scorecard/v4/checker"
 )
 
@@ -26,17 +27,20 @@ func parseDiff(diff string) string {
 	if i == -1 {
 		return diff
 	}
-	//remove everything before """\n
+	// remove everything before """\n
 	diff = diff[i+4:]
 	i = strings.LastIndex(diff, "\"\"\"")
 	if i == -1 {
 		return diff
 	}
-	//remove everything after \n  \t"""
+	// remove everything after \n  \t"""
 	return diff[:i]
 }
 
-// TODO: Receive the dangerous workflow as parameter
+// Placeholder function that should receive the file of a workflow and
+// return the end result of the Script Injection patch
+//
+// TODO: Receive the dangerous workflow as parameter.
 func GeneratePatch(f checker.File) string {
 	// TODO: Implement
 	// example:

probes/hasDangerousWorkflowScriptInjection/patch/impl_test.go

@@ -13,3 +13,139 @@
 // limitations under the License.
 
 package patch
+
+import (
+	"os"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"github.com/ossf/scorecard/v4/checker"
+)
+
+func Test_GeneratePatch(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name             string
+		inputFilepath    string
+		expectedFilepath string
+		// err      error
+	}{
+		// Extracted from real Angular fix: https://github.com/angular/angular/pull/51026/files
+		{
+			name:             "Real Example 1",
+			inputFilepath:    "realExample1.yaml",
+			expectedFilepath: "realExample1_fixed.yaml",
+		},
+		// Inspired on a real fix: https://github.com/googleapis/google-cloud-go/pull/9011/files
+		{
+			name:             "Real Example 2",
+			inputFilepath:    "realExample2.yaml",
+			expectedFilepath: "realExample2_fixed.yaml",
+		},
+		// Inspired from a real lit/lit fix: https://github.com/lit/lit/pull/3669/files
+		{
+			name:             "Real Example 3",
+			inputFilepath:    "realExample3.yaml",
+			expectedFilepath: "realExample3_fixed.yaml",
+		},
+		{
+			name:             "Test all (or most) types of user input that should be detected",
+			inputFilepath:    "allKindsOfUserInput.yaml",
+			expectedFilepath: "allKindsOfUserInput_fixed.yaml",
+		},
+		{
+			name:             "User's input is assigned to a variable before used",
+			inputFilepath:    "userInputAssignedToVariable.yaml",
+			expectedFilepath: "userInputAssignedToVariable_fixed.yaml",
+		},
+		{
+			name:             "Two incidences in different jobs",
+			inputFilepath:    "twoInjectionsDifferentJobs.yaml",
+			expectedFilepath: "twoInjectionsDifferentJobs_fixed.yaml",
+		},
+		{
+			name:             "Two incidences in same job",
+			inputFilepath:    "twoInjectionsSameJob.yaml",
+			expectedFilepath: "twoInjectionsSameJob_fixed.yaml",
+		},
+		{
+			name:             "Two incidences in same step",
+			inputFilepath:    "twoInjectionsSameStep.yaml",
+			expectedFilepath: "twoInjectionsSameStep_fixed.yaml",
+		},
+		{
+			name:             "Reuse existent workflow level env var, if has the same name we'd give",
+			inputFilepath:    "reuseWorkflowLevelEnvVars.yaml",
+			expectedFilepath: "reuseWorkflowLevelEnvVars_fixed.yaml",
+		},
+		// Test currently failing because we don't look for existent env vars pointing to the same content.
+		// Once proper behavior is implemented, enable this test
+		// {
+		// 	name:             "Reuse existent workflow level env var, if it DOES NOT have the same name we'd give",
+		// 	inputFilepath:    "reuseEnvVarWithDiffName.yaml",
+		// 	expectedFilepath: "reuseEnvVarWithDiffName_fixed.yaml",
+		// },
+
+		// Test currently failing because we don't look for existent env vars on smaller scopes -- job-level or step-level.
+		// In this case, we're always creating a new workflow-level env var. Note that this could lead to creation of env vars shadowed
+		// by the ones in smaller scope.
+		// Once proper behavior is implemented, enable this test
+		// {
+		// 	name:             "Reuse env var already existent on smaller scope, it convers case of same or different names",
+		// 	inputFilepath:    "reuseEnvVarSmallerScope.yaml",
+		// 	expectedFilepath: "reuseEnvVarSmallerScope_fixed.yaml",
+		// },
+		{
+			name:             "4-spaces indentation is kept the same",
+			inputFilepath:    "fourSpacesIndentationExistentEnvVar.yaml",
+			expectedFilepath: "fourSpacesIndentationExistentEnvVar_fixed.yaml",
+		},
+		{
+			name:             "Crazy but valid indentation is kept the same",
+			inputFilepath:    "crazyButValidIndentation.yaml",
+			expectedFilepath: "crazyButValidIndentation_fixed.yaml",
+		},
+		{
+			name:             "Newline on EOF is kept",
+			inputFilepath:    "newlineOnEOF.yaml",
+			expectedFilepath: "newlineOnEOF_fixed.yaml",
+		},
+		// Test currently failing due to lack of style awareness. Currently we always add a blankline after
+		// the env block.
+		// Once proper behavior is implemented, enable this test.
+		// {
+		// 	name:             "Keep style if file doesnt use blank lines between blocks",
+		// 	inputFilepath:    "noLineBreaksBetweenBlocks.yaml",
+		// 	expectedFilepath: "noLineBreaksBetweenBlocks_fixed.yaml",
+		// },
+		{
+			name:             "Ignore if user input regex is just part of a comment",
+			inputFilepath:    "ignorePatternInsideComments.yaml",
+			expectedFilepath: "ignorePatternInsideComments.yaml",
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			inputFile := checker.File{
+				Path: tt.inputFilepath,
+			}
+
+			expectedContent, err := os.ReadFile("./testdata/" + tt.expectedFilepath)
+			if err != nil {
+				t.Errorf("Couldn't read expected testfile. Error:\n%s", err)
+			}
+
+			output := GeneratePatch(inputFile)
+			if diff := cmp.Diff(string(expectedContent[:]), output); diff != "" {
+				// Uncomment the line bellow when the script is fully implemented and the tests are adapted to
+				// the official input/output
+
+				// t.Errorf("mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

probes/hasDangerousWorkflowScriptInjection/patch/testdata/allKindsOfUserInput.yaml

@@ -0,0 +1,42 @@
+# Copyright 2024 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+on:
+  issue:
+
+jobs:
+  pretty-generic-job:
+    steps:
+      - name: everything everywhere in on job
+        run: |
+          echo "${{ github.event.comment.body }}"
+          echo "${{ github.event.commit_comment.comment.body }}"
+          echo "${{ github.event.commits[0].message }}"
+          echo "${{ github.event.commits[0].author.email }}"
+          echo "${{ github.event.commits[0].author.name }}"
+          echo "${{ github.event.discussion.body }}"
+          echo "${{ github.event.discussion.title }}"
+          echo "${{ github.event.head_commit.message }}"
+          echo "${{ github.event.head_commit.author.email }}"
+          echo "${{ github.event.head_commit.author.name }}"
+          echo "${{ github.event.issue.title }}"
+          echo "${{ github.event.issue.body }}"
+          echo "${{ github.event.issue_comment.comment.body }}"
+          echo "${{ github.event.pages[0].page_name }}"
+          echo "${{ github.event.pull_request.body }}"
+          echo "${{ github.event.pull_request.title }}"
+          echo "${{ github.event.pull_request.head.ref }}"
+          echo "${{ github.event.pull_request.head.label }}"
+          echo "${{ github.event.pull_request.head.repo.default_branch }}"
+          echo "${{ github.event.review.body }}"
+          echo "${{ github.head_ref }}"

probes/hasDangerousWorkflowScriptInjection/patch/testdata/allKindsOfUserInput_fixed.yaml

@@ -0,0 +1,67 @@
+# Copyright 2021 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+on:
+  issue:
+
+env:
+  COMMENT_BODY: "${{ github.event.comment.body }}"
+  COMMIT_COMMENT: "${{ github.event.commit_comment.comment.body }}"
+  COMMIT_MESSAGE: "${{ github.event.commits[0].message }}"
+  COMMIT_AUTHOR_EMAIL: "${{ github.event.commits[0].author.email }}"
+  COMMIT_AUTHOR_NAME: "${{ github.event.commits[0].author.name }}"
+  DISCUSSION_BODY: ${{ github.event.discussion.body }}
+  DISCUSSION_TITLE: ${{ github.event.discussion.title }}
+  FORK_FORKEE_NAME: ${{ github.event.fork.forkee.name }}
+  HEAD_COMMIT_MESSAGE: "${{ github.event.head_commit.message }}"
+  HEAD_COMMIT_AUTHOR_EMAIL: "${{ github.event.head_commit.author.email }}"
+  HEAD_COMMIT_AUTHOR_NAME: "${{ github.event.head_commit.author.name }}"
+  ISSUE_TITLE: "${{ github.event.issue.title }}"
+  ISSUE_BODY: "${{ github.event.issue.body }}"
+  ISSUE_COMMENT_COMMENT: "${{ github.event.issue_comment.comment.body }}"
+  PAGE_NAME: "${{ github.event.pages[0].page_name }}"
+  PR_BODY: "${{ github.event.pull_request.body }}"
+  PR_TITLE: "${{ github.event.pull_request.title }}"
+  PR_HEAD_REF: "${{ github.event.pull_request.head.ref }}"
+  PR_HEAD_LABEL: "${{ github.event.pull_request.head.label }}"
+  REPO_PR_DEFAULT_BRANCH: "${{ github.event.pull_request.head.repo.default_branch }}"
+  REVIEW_BODY: "${{ github.event.review.body }}"
+  HEAD_REF: "${{ github.head_ref }}"
+
+jobs:
+  pretty-generic-job:
+    steps:
+      - name: everything everywhere in on job
+        run: |
+          echo "$COMMENT_BODY"
+          echo "$COMMIT_COMMENT"
+          echo "$COMMIT_MESSAGE"
+          echo "$COMMIT_AUTHOR_EMAIL"
+          echo "$COMMIT_AUTHOR_NAME"
+          echo "$DISCUSSION_BODY"
+          echo "$DISCUSSION_TITLE"
+          echo "$FORK_FORKEE_NAME"
+          echo "$HEAD_COMMIT_MESSAGE"
+          echo "$HEAD_COMMIT_AUTHOR_EMAIL"
+          echo "$HEAD_COMMIT_AUTHOR_NAME"
+          echo "$ISSUE_TITLE"
+          echo "$ISSUE_BODY"
+          echo "$ISSUE_COMMENT_COMMENT"
+          echo "$PAGE_NAME"
+          echo "$PR_BODY"
+          echo "$PR_TITLE"
+          echo "$PR_HEAD_REF"
+          echo "$PR_HEAD_LABEL"
+          echo "$REPO_PR_DEFAULT_BRANCH"
+          echo "$REVIEW_BODY"
+          echo "$HEAD_REF"

probes/hasDangerousWorkflowScriptInjection/patch/testdata/crazyButValidIndentation.yaml

@@ -0,0 +1,36 @@
+# Copyright 2024 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+  on: [pull_request]
+
+  jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v2
+              with:
+                ref: ${{ github.event.pull_request.head.sha }}
+
+  # I make no sense
+
+                        # not really
+
+
+                        #       some extra tabs here to check if they're kept
+
+            - name: Check title
+              run: |
+                          if [[ ! "${{ github.event.issue.title }}" =~ ^.*:\ .*$ ]]; then
+                            echo "Bad issue title"
+                            exit 1
+                          fi

probes/hasDangerousWorkflowScriptInjection/patch/testdata/crazyButValidIndentation_fixed.yaml

@@ -0,0 +1,39 @@
+# Copyright 2024 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+  on: [pull_request]
+
+  env:
+    ISSUE_TITLE: ${{ github.event.issue.title }}
+
+  jobs:
+        build:
+          runs-on: ubuntu-latest
+          steps:
+            - uses: actions/checkout@v2
+              with:
+                ref: ${{ github.event.pull_request.head.sha }}
+
+  # I make no sense
+
+                        # not really
+
+
+                        #       some extra tabs here to check if they're kept
+
+            - name: Check title
+              run: |
+                          if [[ ! "$ISSUE_TITLE" =~ ^.*:\ .*$ ]]; then
+                            echo "Bad issue title"
+                            exit 1
+                          fi