Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 More nilptr issues #1296

Merged
merged 1 commit into from
Nov 18, 2021
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions checks/pinned_dependencies.go
Original file line number Diff line number Diff line change
Expand Up @@ -454,6 +454,7 @@ func testValidateGitHubWorkflowScriptFreeOfInsecureDownloads(pathfn string,

// validateGitHubWorkflowIsFreeOfInsecureDownloads checks if the workflow file downloads dependencies that are unpinned.
// Returns true if the check should continue executing after this file.
// nolint: gocognit
func validateGitHubWorkflowIsFreeOfInsecureDownloads(pathfn string, content []byte,
dl checker.DetailLogger, data fileparser.FileCbData) (bool, error) {
if !fileparser.IsWorkflowFile(pathfn) {
Expand All @@ -477,14 +478,31 @@ func validateGitHubWorkflowIsFreeOfInsecureDownloads(pathfn string, content []by
githubVarRegex := regexp.MustCompile(`{{[^{}]*}}`)
validated := true
scriptContent := ""
for _, job := range workflow.Jobs {
for jobName, job := range workflow.Jobs {
jobName := jobName
job := job
if len(fileparser.GetJobName(job)) > 0 {
jobName = fileparser.GetJobName(job)
}
for _, step := range job.Steps {
step := step
if !fileparser.IsStepExecKind(step, actionlint.ExecKindRun) {
continue
}

execRun, ok := step.Exec.(*actionlint.ExecRun)
if !ok {
stepName := fileparser.GetStepName(step)
return false, sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("unable to parse step '%v' for job '%v'", jobName, stepName))
}

if execRun == nil || execRun.Run == nil {
// Cannot check further, continue.
continue
}

run := execRun.Run.Value
// https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsrun.
shell, err := fileparser.GetShellForStep(step, job)
if err != nil {
Expand All @@ -495,7 +513,6 @@ func validateGitHubWorkflowIsFreeOfInsecureDownloads(pathfn string, content []by
continue
}

run := step.Exec.(*actionlint.ExecRun).Run.Value
// We replace the `${{ github.variable }}` to avoid shell parsing failures.
script := githubVarRegex.ReplaceAll([]byte(run), []byte("GITHUB_REDACTED_VAR"))
scriptContent = fmt.Sprintf("%v\n%v", scriptContent, string(script))
Expand Down Expand Up @@ -561,6 +578,8 @@ func validateGitHubActionWorkflow(pathfn string, content []byte,

hashRegex := regexp.MustCompile(`^.*@[a-f\d]{40,}`)
for jobName, job := range workflow.Jobs {
jobName := jobName
job := job
if len(fileparser.GetJobName(job)) > 0 {
jobName = fileparser.GetJobName(job)
}
Expand All @@ -574,6 +593,11 @@ func validateGitHubActionWorkflow(pathfn string, content []byte,
return false, sce.WithMessage(sce.ErrScorecardInternal,
fmt.Sprintf("unable to parse step '%v' for job '%v'", jobName, stepName))
}

if execAction == nil || execAction.Uses == nil {
// Cannot check further, continue.
continue
}
// Ensure a hash at least as large as SHA1 is used (40 hex characters).
// Example: action-name@hash
match := hashRegex.Match([]byte(execAction.Uses.Value))
Expand Down