feat: Input argument for the name of attestation of generic workflow (slsa-framework#545)

* Input argument for the name of attestation

* update

* update

* tests

* update

* update

* update

* update

* update

* update

Author: laurentsimon

.github/workflows/generator_generic_slsa3.yml

@@ -34,6 +34,15 @@ on:
         required: false
         type: boolean
         default: false
+      attestation-name:
+        description: >
+          The artifact name of the signed provenance. 
+          The file must have the intoto.jsonl extension.
+
+          Default: attestation.intoto.jsonl
+        required: false
+        type: string
+        default: "attestation.intoto.jsonl"
       compile-generator:
         description: "Build the generator from source. This increases build time by ~2m."
         required: false
@@ -44,8 +53,8 @@ on:
         description: "The name of the release where provenance was uploaded."
         value: ${{ jobs.create-release.outputs.release-id }}
       attestation-name:
-        description: "The artifact name of the signed provenance"
-        value: ${{ jobs.generator.outputs.attestation-name }}
+        description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
+        value: "${{ inputs.attestation-name }}"
 
 jobs:
   # detect-env detects the reusable workflow's repository and ref for use later
@@ -73,7 +82,6 @@ jobs:
   # reference.
   generator:
     outputs:
-      attestation-name: ${{ steps.sign-prov.outputs.attestation-name }}
       attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }}
     runs-on: ubuntu-latest
     needs: [detect-env]
@@ -103,21 +111,21 @@ jobs:
         env:
           SUBJECTS: "${{ inputs.base64-subjects }}"
           GITHUB_CONTEXT: "${{ toJSON(github) }}"
+          UNTRUSTED_ATTESTATION_NAME: "${{ inputs.attestation-name }}"
         run: |
           set -euo pipefail
-          # Create and sign provenance
-          # This sets attestation-name to the name of the signed DSSE envelope.
-          attestation_name="attestation.intoto.jsonl"
-          ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g $attestation_name
-          attestation_sha256=$(sha256sum $attestation_name | awk '{print $1}')
-          echo "::set-output name=attestation-name::$attestation_name"
+          # Create and sign provenance.
+          # Note: The builder verifies that the UNTRUSTED_ATTESTATION_NAME is located
+          # in the current directory.
+          ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g "$UNTRUSTED_ATTESTATION_NAME"
+          attestation_sha256=$(sha256sum "$UNTRUSTED_ATTESTATION_NAME" | awk '{print $1}')
           echo "::set-output name=attestation-sha256::$attestation_sha256"
 
       - name: Upload the signed provenance
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
         with:
-          name: "${{ steps.sign-prov.outputs.attestation-name }}"
-          path: "${{ steps.sign-prov.outputs.attestation-name }}"
+          name: "${{ inputs.attestation-name }}"
+          path: "${{ inputs.attestation-name }}"
           if-no-files-found: error
           retention-days: 5
 
@@ -135,12 +143,12 @@ jobs:
       - name: Download the provenance
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@1d646d70aeba1516af69fb0ef48206580122449b
         with:
-          name: "${{ needs.generator.outputs.attestation-name }}"
+          name: "${{ inputs.attestation-name }}"
           sha256: "${{ needs.generator.outputs.attestation-sha256 }}"
 
       - name: Release
         uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
         id: release
         with:
           files: |
-            ${{ needs.generator.outputs.attestation-name }}
+            ${{ inputs.attestation-name }}

internal/builders/generic/attest.go

@@ -64,6 +64,16 @@ type errNoName struct {
 	errors.WrappableError
 }
 
+// errInvalidPath indicates an invalid path.
+type errInvalidPath struct {
+	errors.WrappableError
+}
+
+// errInternal indicates an internal error.
+type errInternal struct {
+	errors.WrappableError
+}
+
 // errDuplicateSubject indicates a duplicate subject name.
 type errDuplicateSubject struct {
 	errors.WrappableError
@@ -125,13 +135,46 @@ func parseSubjects(b64str string) ([]intoto.Subject, error) {
 	return parsed, nil
 }
 
+func pathIsUnderCurrentDirectory(path string) error {
+	wd, err := os.Getwd()
+	if err != nil {
+		return errors.Errorf(&errInternal{}, "os.Getwd(): %w", err)
+	}
+	p, err := filepath.Abs(path)
+	if err != nil {
+		return errors.Errorf(&errInternal{}, "filepath.Abs(): %w", err)
+	}
+
+	if !strings.HasPrefix(p, wd+"/") &&
+		wd != p {
+		return errors.Errorf(&errInvalidPath{}, "path: %q", path)
+	}
+
+	return nil
+}
+
 func getFile(path string) (io.Writer, error) {
 	if path == "-" {
 		return os.Stdout, nil
 	}
+
+	if err := pathIsUnderCurrentDirectory(path); err != nil {
+		return nil, err
+	}
+
 	return os.OpenFile(filepath.Clean(path), os.O_WRONLY|os.O_CREATE, 0o600)
 }
 
+func verifyAttestationPath(path string) error {
+	if !strings.HasSuffix(path, "intoto.jsonl") {
+		return errors.Errorf(&errInvalidPath{}, "invalid suffix: %q. Must be .intoto.jsonl", path)
+	}
+	if err := pathIsUnderCurrentDirectory(path); err != nil {
+		return err
+	}
+	return nil
+}
+
 type provenanceOnlyBuild struct {
 	*slsa.GithubActionsBuild
 }
@@ -158,6 +201,10 @@ run in the context of a Github Actions workflow.`,
 			ghContext, err := github.GetWorkflowContext()
 			check(err)
 
+			// Verify the extension path and extension.
+			err = verifyAttestationPath(attPath)
+			check(err)
+
 			var parsedSubjects []intoto.Subject
 			// We don't actually care about the subjects if we aren't writing an attestation.
 			if attPath != "" {
@@ -189,6 +236,7 @@ run in the context of a Github Actions workflow.`,
 			p, err := g.Generate(ctx)
 			check(err)
 
+			// Note: we verify the path within getFile().
 			if attPath != "" {
 				var attBytes []byte
 				if utils.IsPresubmitTests() {

internal/builders/generic/attest_test.go

@@ -7,9 +7,124 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	slsav02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+
 	"github.com/slsa-framework/slsa-github-generator/internal/errors"
 )
 
+func Test_pathIsUnderCurrentDirectory(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		path     string
+		expected error
+	}{
+		{
+			name:     "valid same path",
+			path:     "./",
+			expected: nil,
+		},
+		{
+			name:     "valid path no slash",
+			path:     "./some/valid/path",
+			expected: nil,
+		},
+		{
+			name:     "valid path with slash",
+			path:     "./some/valid/path/",
+			expected: nil,
+		},
+		{
+			name:     "valid path with no dot",
+			path:     "some/valid/path/",
+			expected: nil,
+		},
+		{
+			name:     "some valid path",
+			path:     "../generic/some/valid/path",
+			expected: nil,
+		},
+		{
+			name:     "parent invalid path",
+			path:     "../invalid/path",
+			expected: &errInvalidPath{},
+		},
+		{
+			name:     "some invalid fullpath",
+			path:     "/some/invalid/fullpath",
+			expected: &errInvalidPath{},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := pathIsUnderCurrentDirectory(tt.path)
+			if (err == nil && tt.expected != nil) ||
+				(err != nil && tt.expected == nil) {
+				t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors()))
+			}
+
+			if err != nil && !errors.As(err, &tt.expected) {
+				t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors()))
+			}
+		})
+	}
+}
+
+func Test_verifyAttestationPath(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		path     string
+		expected error
+	}{
+		{
+			name:     "valid file",
+			path:     "./path/to/valid.intoto.jsonl",
+			expected: nil,
+		},
+		{
+			name:     "invalid path",
+			path:     "../some/invalid/valid.intoto.jsonl",
+			expected: &errInvalidPath{},
+		},
+		{
+			name:     "invalid extension",
+			path:     "some/file.ntoto.jsonl",
+			expected: &errInvalidPath{},
+		},
+		{
+			name:     "invalid not exntension",
+			path:     "some/file.intoto.jsonl.",
+			expected: &errInvalidPath{},
+		},
+		{
+			name:     "invalid folder exntension",
+			path:     "file.intoto.jsonl/file",
+			expected: &errInvalidPath{},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt // Re-initializing variable so it is not changed while executing the closure below
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := verifyAttestationPath(tt.path)
+			if (err == nil && tt.expected != nil) ||
+				(err != nil && tt.expected == nil) {
+				t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors()))
+			}
+
+			if err != nil && !errors.As(err, &tt.expected) {
+				t.Fatalf("unexpected error: %v", cmp.Diff(err, tt.expected, cmpopts.EquateErrors()))
+			}
+		})
+	}
+}
+
 // TestParseSubjects tests the parseSubjects function.
 func TestParseSubjects(t *testing.T) {
 	testCases := []struct {