fix: verify-token allow empty base_ref (#2475)

#2471 added the base_ref in verify-token but this value may be empty. This PR allows the base_ref to be empty string. Signed-off-by: laurentsimon <laurentsimon@google.com>
slsa-framework · Jul 26, 2023 · bb63553 · bb63553
1 parent 389ab52
commit bb63553
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 7 deletions.
diff --git a/.github/actions/verify-token/__tests__/validate.test.ts b/.github/actions/verify-token/__tests__/validate.test.ts
@@ -39,6 +39,14 @@ describe("validateField", () => {
     validateField("foo", "foo", "foo");
   });
 
+  it("validates equal empty values", () => {
+    validateField("foo", "", "", true);
+  });
+
+  expect(() => {
+    validateField("foo", "", "");
+  }).toThrow();
+
   it("does not validate unequal values", () => {
     expect(() => {
       validateField("foo", "foo", "bar");

diff --git a/.github/actions/verify-token/dist/index.js b/.github/actions/verify-token/dist/index.js
@@ -945,7 +945,7 @@ function validateGitHubFields(gho) {
     // event_name.
     validateField("github.event_name", gho.event_name, process.env.GITHUB_EVENT_NAME);
     // base_ref.
-    validateField("github.base_ref", gho.base_ref, process.env.GITHUB_BASE_REF);
+    validateField("github.base_ref", gho.base_ref, process.env.GITHUB_BASE_REF, true);
     // Validate the event. Only events in
     // https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1
     // are supported.
@@ -1027,13 +1027,14 @@ exports.validateFieldAnyOf = validateFieldAnyOf;
  * @param name - the name of the value
  * @param actual - the actual value of the field
  * @param expected - the expected value of the field
+ * @param allow_empty - whether the value may be empty
  * @throws Error - if actual and expected don't match or are empty.
  */
-function validateField(name, actual, expected) {
+function validateField(name, actual, expected, allow_empty = false) {
     if (actual !== expected) {
         throw new Error(`mismatch ${name}: got '${actual}', expected '${expected}'.`);
     }
-    if (!actual) {
+    if (!allow_empty && !actual) {
         throw new Error(`empty ${name}, expected non-empty value.`);
     }
 }

diff --git a/.github/actions/verify-token/dist/index.js.map b/.github/actions/verify-token/dist/index.js.map
diff --git a/.github/actions/verify-token/src/validate.ts b/.github/actions/verify-token/src/validate.ts
@@ -27,7 +27,12 @@ export function validateGitHubFields(gho: githubObj): void {
   );
 
   // base_ref.
-  validateField("github.base_ref", gho.base_ref, process.env.GITHUB_BASE_REF);
+  validateField(
+    "github.base_ref",
+    gho.base_ref,
+    process.env.GITHUB_BASE_REF,
+    true
+  );
 
   // Validate the event. Only events in
   // https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1
@@ -175,15 +180,21 @@ export function validateFieldAnyOf<T>(
  * @param name - the name of the value
  * @param actual - the actual value of the field
  * @param expected - the expected value of the field
+ * @param allow_empty - whether the value may be empty
  * @throws Error - if actual and expected don't match or are empty.
  */
-export function validateField<T>(name: string, actual: T, expected: T): void {
+export function validateField<T>(
+  name: string,
+  actual: T,
+  expected: T,
+  allow_empty = false
+): void {
   if (actual !== expected) {
     throw new Error(
       `mismatch ${name}: got '${actual}', expected '${expected}'.`
     );
   }
-  if (!actual) {
+  if (!allow_empty && !actual) {
     throw new Error(`empty ${name}, expected non-empty value.`);
   }
 }