New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test(dang-workflows-remediation): create initial tests #2
Conversation
Tests are covering the overall run of the dangerous workflow script injection fix -- inputs as the whole workflow and outputs as the fixed workflow. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move inputs and outputs to dedicated files, and only have the filepaths here. This is already done for the DangerousWorkflow check, for example:
https://github.com/joycebrum/scorecard/blob/main/checks/raw/dangerous_workflow_test.go#L110
I believe this:
- makes it easier to visually inspect the "diffs" between the files (using VSCode or
git diff
, for example) - makes it easier to visually "parse" the individual files, since we can use VSCode's syntax highlighting
- makes the test logic more legible, since
impl_test
goes from "90% examples" to "90% logic".
You can also store only the input filename, and the expected output filename is simply "fixed_{input}" or something.
I have mixed feelings about this, because I agree with the point of splitting the test logic from the examples themselves, and I like to have the examples outside the actual code, but the current version is way easier to me to read. My arguments:
That said, one purpose that I have is to just update this file to
WDYT? |
Humm this is a good point. I'd say for us to follow the "dedicated file" option to be in accordance to how scorecard is doing it now. Besides, I'd also like to see the tests running on very complex cases -- with lots of different identations and comments, multiple script injections on the same file, etc. We could even use the existing ones they use for testing script injection identification and just create the "expected" for it. |
+1 to what Joyce said. |
Ok, I'm working on it. But a question that came up: Additional tricky question: is it OK to mention that the workflow was extracted from Angular? |
I don't think we need to add licenses to the test files. There are already some test cases which don't have licenses: As for mentioning the workflow came from Angular... I think it'd be fine, but I wouldn't bother: it doesn't add any relevant information about the test; we care about the behavior expressed by the test case, not its origins. |
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Hey @joycebrum and @pnacht, I've made the changes you requested, added some additional tests, and merged the code on main into my branch. PTAL =) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additional tests required:
- Workflow already has an
env
- and a variable must be appended to the env; OR
- the env is "irrelevant", variables must be added at a different scope
- Workflow ending with a newline (all the current examples don't)
- Results when the script is run to add all environment variables at the workflow level, not at the smallest scope.
probes/hasDangerousWorkflowScriptInjection/patch/testdata/badIndentationMultipleInjections.yaml
Outdated
Show resolved
Hide resolved
probes/hasDangerousWorkflowScriptInjection/patch/testdata/twoInjectionsDifferentJobs.yaml
Outdated
Show resolved
Hide resolved
probes/hasDangerousWorkflowScriptInjection/patch/testdata/safeExample.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
df05188
to
1dd3542
Compare
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Makes the test file a valid YAML file, but also enhances it to also cover: 1. the case of having a newline at EOF 2. test if the patch will keep a tab character present in a comment Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
…ot level Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
.../hasDangerousWorkflowScriptInjection/patch/testdata/fourSpacesIndendationExistentEnvVar.yaml
Outdated
Show resolved
Hide resolved
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
We can decide to remove the commented tests later, let's keep it there by now.
Co-authored-by: Joyce <joycebrum@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
What is the goal of "ignorePatternInsideComments.yaml"? |
probes/hasDangerousWorkflowScriptInjection/patch/testdata/noLineBreaksBetweenBlocks.yaml
Outdated
Show resolved
Hide resolved
probes/hasDangerousWorkflowScriptInjection/patch/testdata/noLineBreaksBetweenBlocks_fixed.yaml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just noticed that the tests not passing could be a problem in the future PRs.
Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
Co-authored-by: Gabriela Gutierrez <gabigutierrez@google.com> Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
We will uncomment it when the code is actually ready to be tested. Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
It just evaluates if the script isn't changing code that is part of a comment, as it wouldn't be unsafe. |
Tests are covering the overall run of the dangerous workflow script injection fix -- inputs as the whole workflow and outputs as the fixed workflow.