Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't trim path from builder URI #3214

Merged
merged 4 commits into from
May 1, 2024
Merged

Don't trim path from builder URI #3214

merged 4 commits into from
May 1, 2024

Conversation

puerco
Copy link
Contributor

@puerco puerco commented May 1, 2024

Summary

This PR modifies the identity extraction function to preserve the full path of the attestation identity recorded in the attestation identity.

Trimming the path opens up a vulnerability as an attestation may be validated by a signature triggered from a workflow with the same filename as the expected one.

The identity extraction function is still timing the branch and tag from the identity which we should probably also not do but we handle it in the rule definition so probably we are ok. Further discussion is needed.

Change Type

Mark the type of change your PR introduces:

  • Bug fix (resolves an issue without affecting existing features)
  • Feature (adds new functionality without breaking changes)
  • Breaking change (may impact existing functionalities or require documentation updates)
  • Documentation (updates or additions to documentation)
  • Refactoring or test improvements (no bug fixes or new functionality)

Testing

Added a unit test to test the treatment of the signer identity

Review Checklist:

  • Reviewed my own code for quality and clarity.
  • Added comments to complex or tricky code sections.
  • Updated any affected documentation.
  • Included tests that validate the fix or feature.
  • Checked that related changes are merged.

@puerco
Don't trim path from signer identity
cb2d2b9 
Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>
@puerco
Rename identity func to reflect cert use
aa467b0 
Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>
@puerco
Add test for certificate identity
84976e7 
Signed-off-by: Adolfo García Veytia (puerco) <puerco@stacklok.com>
@puerco puerco added the bug Something isn't working label May 1, 2024
@puerco puerco requested a review from a team as a code owner May 1, 2024 05:57
@puerco puerco changed the title DOn't trim path from builder URI Don't trim path from builder URI May 1, 2024
@coveralls
Copy link

coveralls commented May 1, 2024
edited
Loading

Coverage Status

coverage: 50.62% (+0.1%) from 50.514%
when pulling 4648953 on puerco:check-identities
into 7c50e65 on stacklok:main.

@puerco puerco merged commit 2d28734 into mindersec:main May 1, 2024
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmjb dmjb dmjb approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@puerco @coveralls @dmjb