|
| 1 | +//go:build checkout_unsafe_shas |
| 2 | +// +build checkout_unsafe_shas |
| 3 | + |
| 4 | +package opa |
| 5 | + |
| 6 | +// Regenerates opa/rego/external/checkout_unsafe.rego — the frozen set of actions/checkout |
| 7 | +// commit SHAs that LACK the safe-default fix (GitHub's allow-unsafe-pr-checkout change). |
| 8 | +// |
| 9 | +// Run with: |
| 10 | +// |
| 11 | +// make update-checkout-shas |
| 12 | +// # or: go test -tags checkout_unsafe_shas -run TestPopulateCheckoutUnsafeShas -timeout 10m ./opa |
| 13 | +// |
| 14 | +// A SHA is SAFE iff it is (or descends from) a release-line fix commit. Today only the v7 |
| 15 | +// line is fixed (v7.0.0 = 9c091bb…); the v4/v5/v6 backports land on/after 2026-07-16 — add |
| 16 | +// their fix-commit SHAs to fixCommits below and re-run once they are published. Because this |
| 17 | +// is a default-ALLOW (bad) set, it is only complete/sound once every supported line is fixed: |
| 18 | +// freeze it AFTER the backports so no vulnerable commit is created after the freeze. |
| 19 | + |
| 20 | +import ( |
| 21 | + "crypto/sha256" |
| 22 | + "encoding/hex" |
| 23 | + "fmt" |
| 24 | + "os" |
| 25 | + "os/exec" |
| 26 | + "regexp" |
| 27 | + "sort" |
| 28 | + "strings" |
| 29 | + "testing" |
| 30 | + |
| 31 | + "github.com/stretchr/testify/assert" |
| 32 | + "github.com/stretchr/testify/require" |
| 33 | +) |
| 34 | + |
| 35 | +const ( |
| 36 | + checkoutRepo = "https://github.com/actions/checkout.git" |
| 37 | + checkoutRegoFile = "rego/external/checkout_unsafe.rego" |
| 38 | + v7FixSHA = "9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0" // actions/checkout v7.0.0 |
| 39 | + expectMinUniverse = 200 |
| 40 | + expectMaxUniverse = 600 |
| 41 | +) |
| 42 | + |
| 43 | +// fixCommits are the release-line fix commits. Any commit that is one of these or descends |
| 44 | +// from one is SAFE (enforces the safe default). Add the v4/v5/v6 backport SHAs here once |
| 45 | +// GitHub publishes them (on/after 2026-07-16). |
| 46 | +var fixCommits = []string{ |
| 47 | + v7FixSHA, |
| 48 | + // "<v4 backport fix SHA>", |
| 49 | + // "<v5 backport fix SHA>", |
| 50 | + // "<v6 backport fix SHA>", |
| 51 | +} |
| 52 | + |
| 53 | +func git(t *testing.T, dir string, args ...string) string { |
| 54 | + t.Helper() |
| 55 | + cmd := exec.Command("git", args...) |
| 56 | + cmd.Dir = dir |
| 57 | + out, err := cmd.Output() |
| 58 | + require.NoError(t, err, "git %s", strings.Join(args, " ")) |
| 59 | + return strings.TrimSpace(string(out)) |
| 60 | +} |
| 61 | + |
| 62 | +func gitOK(dir string, args ...string) bool { |
| 63 | + cmd := exec.Command("git", args...) |
| 64 | + cmd.Dir = dir |
| 65 | + return cmd.Run() == nil |
| 66 | +} |
| 67 | + |
| 68 | +func TestPopulateCheckoutUnsafeShas(t *testing.T) { |
| 69 | + tmp, err := os.MkdirTemp("", "checkout-shas") |
| 70 | + require.NoError(t, err) |
| 71 | + defer os.RemoveAll(tmp) |
| 72 | + |
| 73 | + // Shallow-by-blob clone of the commit graph only (no file contents needed). |
| 74 | + git(t, tmp, "init", "-q", "repo") |
| 75 | + repo := tmp + "/repo" |
| 76 | + git(t, repo, "remote", "add", "origin", checkoutRepo) |
| 77 | + git(t, repo, "fetch", "-q", "--filter=blob:none", "origin", |
| 78 | + "refs/heads/main:refs/remotes/origin/main", |
| 79 | + "refs/heads/releases/*:refs/remotes/origin/releases/*", |
| 80 | + "refs/tags/*:refs/tags/*", |
| 81 | + ) |
| 82 | + |
| 83 | + // Sanity: v7.0.0 resolves to the documented fix commit. |
| 84 | + require.Equal(t, v7FixSHA, git(t, repo, "rev-parse", "v7.0.0^{commit}"), |
| 85 | + "v7.0.0 no longer resolves to the expected fix commit") |
| 86 | + |
| 87 | + // Universe = every commit reachable from main + release branches + all tags. |
| 88 | + listCmd := exec.Command("git", "for-each-ref", "--format=%(refname)", |
| 89 | + "refs/remotes/origin/main", "refs/remotes/origin/releases", "refs/tags") |
| 90 | + listCmd.Dir = repo |
| 91 | + refs, err := listCmd.Output() |
| 92 | + require.NoError(t, err) |
| 93 | + |
| 94 | + revCmd := exec.Command("git", "rev-list", "--stdin") |
| 95 | + revCmd.Dir = repo |
| 96 | + revCmd.Stdin = strings.NewReader(string(refs)) |
| 97 | + universeOut, err := revCmd.Output() |
| 98 | + require.NoError(t, err) |
| 99 | + universe := strings.Fields(string(universeOut)) |
| 100 | + require.GreaterOrEqual(t, len(universe), expectMinUniverse, "universe too small — partial fetch?") |
| 101 | + require.LessOrEqual(t, len(universe), expectMaxUniverse, "universe too large — unexpected refs?") |
| 102 | + |
| 103 | + // Vulnerable = not a descendant of (or equal to) any fix commit. |
| 104 | + var vulnerable []string |
| 105 | + for _, c := range universe { |
| 106 | + safe := false |
| 107 | + for _, fix := range fixCommits { |
| 108 | + if gitOK(repo, "merge-base", "--is-ancestor", fix, c) { |
| 109 | + safe = true |
| 110 | + break |
| 111 | + } |
| 112 | + } |
| 113 | + if !safe { |
| 114 | + vulnerable = append(vulnerable, strings.ToLower(c)) |
| 115 | + } |
| 116 | + } |
| 117 | + sort.Strings(vulnerable) |
| 118 | + |
| 119 | + // Anti-gap assertions: the freeze must not silently drop or over-include. |
| 120 | + vulnSet := map[string]bool{} |
| 121 | + for _, s := range vulnerable { |
| 122 | + vulnSet[s] = true |
| 123 | + } |
| 124 | + assert.False(t, vulnSet[v7FixSHA], "v7.0.0 fix commit must NOT be in the vulnerable set") |
| 125 | + for _, tag := range []string{"v1.0.0", "v2.0.0", "v3.0.0"} { |
| 126 | + sha := strings.ToLower(git(t, repo, "rev-parse", tag+"^{commit}")) |
| 127 | + assert.True(t, vulnSet[sha], "%s (%s) must be in the vulnerable set", tag, sha) |
| 128 | + } |
| 129 | + assert.Greater(t, len(vulnerable), 100, "suspiciously few vulnerable SHAs") |
| 130 | + |
| 131 | + sum := sha256.Sum256([]byte(strings.Join(vulnerable, "\n"))) |
| 132 | + t.Logf("vulnerable_shas: %d entries, universe %d, sha256 %s", |
| 133 | + len(vulnerable), len(universe), hex.EncodeToString(sum[:])) |
| 134 | + |
| 135 | + writeCheckoutUnsafeRego(t, vulnerable) |
| 136 | +} |
| 137 | + |
| 138 | +func writeCheckoutUnsafeRego(t *testing.T, vulnerable []string) { |
| 139 | + t.Helper() |
| 140 | + content, err := os.ReadFile(checkoutRegoFile) |
| 141 | + require.NoError(t, err) |
| 142 | + |
| 143 | + var b strings.Builder |
| 144 | + b.WriteString("vulnerable_shas := {\n") |
| 145 | + for _, s := range vulnerable { |
| 146 | + fmt.Fprintf(&b, "\t%q,\n", s) |
| 147 | + } |
| 148 | + b.WriteString("}") |
| 149 | + |
| 150 | + re := regexp.MustCompile(`(?s)vulnerable_shas := \{.*?\n}`) |
| 151 | + updated := re.ReplaceAllString(string(content), b.String()) |
| 152 | + require.Contains(t, updated, "vulnerable_shas := {", "replacement anchor not found") |
| 153 | + |
| 154 | + require.NoError(t, os.WriteFile(checkoutRegoFile, []byte(updated), 0644)) |
| 155 | + t.Logf("wrote %s — run `opa fmt -w %s`", checkoutRegoFile, checkoutRegoFile) |
| 156 | +} |
0 commit comments