Merge pull request #2551 from vamshi-stepsecurity/bug/wild-card-for-action

update wildcard function

Author: varunsh-coder

remediation/workflow/pin/pinactions.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -261,8 +260,15 @@ func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitS
 // Function to check if an action matches any pattern in the list
 func ActionExists(actionName string, patterns []string) bool {
 	for _, pattern := range patterns {
-		// Use filepath.Match to match the pattern
-		matched, err := filepath.Match(pattern, actionName)
+		// Convert glob pattern to regex for path matching
+		// Replace * with [^/]* to match within a path segment
+		// Replace **/ with .* to match across path segments
+		regexPattern := strings.ReplaceAll(pattern, "**", "§§")
+		regexPattern = strings.ReplaceAll(regexPattern, "*", "[^/]*")
+		regexPattern = strings.ReplaceAll(regexPattern, "§§", ".*")
+		regexPattern = "^" + regexPattern + "($|/)"
+
+		matched, err := regexp.MatchString(regexPattern, actionName)
 		if err != nil {
 			// Handle invalid patterns
 			fmt.Printf("Error matching pattern: %v\n", err)

remediation/workflow/pin/pinactions_test.go

@@ -308,7 +308,7 @@ func TestPinActions(t *testing.T) {
 		{fileName: "actionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
 		{fileName: "repeatedactionwithcomment.yml", wantUpdated: true, pinToImmutable: true},
 		{fileName: "immutableaction-1.yml", wantUpdated: true, pinToImmutable: true},
-		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},
+		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*", "praveen/*", "aman-*/*", "*/seperate*"}, pinToImmutable: true},
 		{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
 		{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
 		{fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true},
@@ -374,3 +374,36 @@ func Test_isAbsolute(t *testing.T) {
 		})
 	}
 }
+
+func TestActionExists(t *testing.T) {
+	result := ActionExists("actions/checkout", []string{"actions/checkout"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned false for actions/checkout")
+	}
+
+	result = ActionExists("actions/checkout", []string{"actions/*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned false for actions/checkout")
+	}
+
+	result = ActionExists("actions/checkout/something", []string{"actions/*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for actions/checkout/something")
+	}
+
+	result = ActionExists("step-security/checkout/something", []string{"step-*/*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for actions/checkout/something")
+	}
+
+	result = ActionExists("step-security/checkout-release/something", []string{"*/checkout-*"})
+	t.Log(result)
+	if !result {
+		t.Errorf("ActionExists returned true for actions/checkout/something")
+	}
+
+}

testfiles/pinactions/input/exemptaction.yml

@@ -38,6 +38,30 @@ jobs:
       - name: publish on version change
         id: publish_nuget
         uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: praveen/publish-nuget/to-version@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 3
+        id: publish_nuget
+        uses: aman-action/move/to-main@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: smith/seperate/from-version@v2
         with:
           PROJECT_FILE_PATH: Core/Core.csproj
           NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}

testfiles/pinactions/output/exemptaction.yml

@@ -38,6 +38,30 @@ jobs:
       - name: publish on version change
         id: publish_nuget
         uses: rohith/publish-nuget@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: praveen/publish-nuget/to-version@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 3
+        id: publish_nuget
+        uses: aman-action/move/to-main@v2
+        with:
+          PROJECT_FILE_PATH: Core/Core.csproj
+          NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}
+          NUGET_SOURCE: https://nuget.pkg.github.com/OWNER/index.json
+
+      - name: publish on version change 2
+        id: publish_nuget
+        uses: smith/seperate/from-version@v2
         with:
           PROJECT_FILE_PATH: Core/Core.csproj
           NUGET_KEY: ${{ secrets.GITHUB_TOKEN }}