Fix/ci permissions (#36)

* can't test without contents write permissions * updated changelog * debugging: fuzz tests Error: open /0: invalid argument * fixed bug in dir validation * restore strict permissions * no need for atomic tests * fixing bug in dir validation
tuxerrante · Feb 19, 2024 · 01f9efb · 01f9efb
1 parent accae59
commit 01f9efb
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 36 deletions.
diff --git a/.github/workflows/build-app.yml b/.github/workflows/build-app.yml
@@ -14,15 +14,15 @@ on:
     - cron: '42 0 * * 6' # Refresh image every Sunday at 00:42
 
 env:
-  GO_VERSION: 1.22
+  GO_VERSION: 1.22
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_SHA: ${{ github.sha  }}
 
-permissions:
-  contents: read
-
+permissions:
+  contents: read
+
 jobs:
   build-app:
     runs-on: ubuntu-latest
@@ -31,11 +31,11 @@ jobs:
       packages: write
 
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Log in to the Container registry
@@ -96,11 +96,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: ['build-app']
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -128,11 +128,11 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
-        with:
-          egress-policy: audit
-
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:

diff --git a/Dockerfile b/Dockerfile
@@ -8,8 +8,8 @@ COPY go.mod .
 RUN go get    -d -v .           &&\
     go build  -v -o /go/bin/app .
 
-RUN go test -v -fuzz=Fuzz -fuzztime=30s -run ^t_fuzz* ./...
-RUN go test -v -coverprofile=coverage.out -covermode=atomic ./...
+RUN go test -v -vet off -fuzz=Fuzz -fuzztime=60s -run ^t_fuzz* ./...
+RUN go test -v -coverprofile=coverage.out -covermode=count ./...
 
 
 # --- Publish test coverage results

diff --git a/charts/kapparmor/CHANGELOG.md b/charts/kapparmor/CHANGELOG.md
@@ -21,22 +21,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Move global vars to structs passed by reference
 ---
 
-## [0.2.0 - ](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.1.6)
-
+## [0.2.0 - ](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.2.0)
+CI:
 - [X] Fixed Codecov plugin issues
+- [X] Refresh container image every Sunday night
 - [X] Git auto CRLF set to false `git config --global core.autocrlf false`
-- [X] [Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits): `git config commit.gpgsign true`
+- [X] Bumped multiple actions
+- [X] Bash CI to automate go version bump from one source of truth (`config/config`)
+
+Code:
 - [X] golang:1.22 as builder containerfile image
-- [X] Refresh container image every Sunday night
 - [X] The k8s service resource is now settable from the values.yaml
-- [X] Added repository Security policy
+- [X] Introduced Fuzz testing for profile filenames
+- [X] If POLL_TIME is set less than 1 it will default to 1 second
+
+Project Security Fixes
+- [X] [Signed commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits): `git config commit.gpgsign true`
+- [X] Added repository [Security policy](https://github.com/tuxerrante/kapparmor/blob/main/SECURITY.md)
 - [X] Added OpenSSF scorecard workflow
-- Bump actions/checkout to 4.1.1
-- Bump [actions/upload-artifact](https://github.com/actions/upload-artifact/releases/tag/v4.3.1) to 4.3.1
-- Bump [github/codeql-action/upload-sarif](https://github.com/github/codeql-action/blob/v3/upload-sarif/action.yml) to v3
-- Introduced Fuzz testing for profile filenames
-- Bash CI to automate go version bump from one source of truth (`config/config`)
-- If POLL_TIME is set less than 1 it will default to 1 second
+- [X] Least Privileged GitHub Actions Token Permissions: setting minimum token permissions for the GITHUB_TOKEN
+- [X] Pinning actions to full length commit
+- [X] Intergated [Harden-Runner](https://github.com/step-security/harden-runner) in the CI: it prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.
+- [X] Pinned image tags to digests in Dockerfiles.
+- [X] Closed 44 (!) security issues coming from [Scorecard security scanner](https://github.com/marketplace/actions/ossf-scorecard-action). Also with the help of [stepsecurity.io](https://app.stepsecurity.io/)
+
 ---
 
 ## [0.1.5 - 2023-05-16](https://github.com/tuxerrante/kapparmor/releases/tag/kapparmor-0.1.5)

diff --git a/go/src/app/filesystemOperations.go b/go/src/app/filesystemOperations.go
@@ -244,6 +244,9 @@ func isValidPath(path string) (bool, error) {
 		if len(substring) == 1 && substring[0] == '.' {
 			return true, nil
 		}
+		if ok, err := isValidFilename(substring); !ok {
+			return false, err
+		}
 	}
 	return true, nil
 }
@@ -267,7 +270,7 @@ func isValidFilename(filename string) (bool, error) {
 		return false, fmt.Errorf("%q is not a valid filename", filename)
 	}
 
-	if len(filename) > 255 {
+	if len(filename) >= 255 {
 		return false, fmt.Errorf("file name too long")
 	}
 

diff --git a/go/src/app/t_fuzzIsProfileNameCorrect_test.go b/go/src/app/t_fuzzIsProfileNameCorrect_test.go
@@ -23,9 +23,6 @@ func FuzzIsProfileNameCorrect(f *testing.F) {
 					//t.Logf("expected error for invalid filename %q", filename)
 					return
 				}
-				if len(filename) > 255 {
-					return
-				}
 				if ok, _ := isValidPath(directory); !ok {
 					return
 				} else {