Skip to content

Commit

Permalink
Merge pull request #6916 from Tohar-orca/fix-sensitive-port-exposed
Browse files Browse the repository at this point in the history 
fix(query): sensitive_port_is_exposed_to_entire_network
  • Loading branch information
@gabriel-cx
gabriel-cx authored Mar 4, 2024
2 parents 09c2e3e + bc11b92 commit 4c4c625
Show file tree
Hide file tree
Showing 4 changed files with 908 additions and 167 deletions.
25 changes: 25 additions & 0 deletions assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/query.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,31 @@ CxPolicy[result] {
}
}

CxPolicy[result] {
resource := input.document[i].resource.aws_security_group[name]

portContent := commonLib.tcpPortsMap[port]
portNumber = port
portName = portContent
ingress := resource.ingress[j]
protocol := tf_lib.getProtocolList(ingress.protocol)[_]

endswith(ingress.cidr_blocks[_], "/0")
tf_lib.containsPort(ingress, portNumber)
isTCPorUDP(protocol)

result := {
"documentId": input.document[i].id,
"resourceType": "aws_security_group",
"resourceName": tf_lib.get_resource_name(resource, name),
"searchKey": sprintf("aws_security_group[%s].ingress", [name]),
"searchValue": sprintf("%s,%d", [protocol, portNumber]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("%s (%s:%d) should not be allowed", [portName, protocol, portNumber]),
"keyActualValue": sprintf("%s (%s:%d) is allowed", [portName, protocol, portNumber]),
}
}

isTCPorUDP("TCP") = true

isTCPorUDP("UDP") = true
274 changes: 274 additions & 0 deletions assets/queries/terraform/aws/sensitive_port_is_exposed_to_entire_network/test/negative.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,274 @@
{
"format_version": "0.2",
"terraform_version": "1.0.5",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_security_group.invalid",
"mode": "managed",
"type": "aws_security_group",
"name": "invalid",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"values": {
"description": "invalid",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"ingress": [
{
"cidr_blocks": [
"192.168.0.0/24"
],
"description": "invalid",
"from_port": 443,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
}
],
"name": "invalid",
"revoke_rules_on_delete": false,
"tags": {
"Name": "invalid"
},
"tags_all": {
"Name": "invalid"
},
"timeouts": null
},
"sensitive_values": {
"egress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [
false
],
"prefix_list_ids": [],
"security_groups": []
}
],
"ingress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"security_groups": []
}
],
"tags": {},
"tags_all": {}
}
}
]
}
},
"resource_changes": [
{
"address": "aws_security_group.invalid",
"mode": "managed",
"type": "aws_security_group",
"name": "invalid",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"description": "invalid",
"egress": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
}
],
"ingress": [
{
"cidr_blocks": [
"192.168.0.0/24"
],
"description": "invalid",
"from_port": 443,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 443
}
],
"name": "invalid",
"revoke_rules_on_delete": false,
"tags": {
"Name": "invalid"
},
"tags_all": {
"Name": "invalid"
},
"timeouts": null
},
"after_unknown": {
"arn": true,
"egress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [
false
],
"prefix_list_ids": [],
"security_groups": []
}
],
"id": true,
"ingress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"security_groups": []
}
],
"name_prefix": true,
"owner_id": true,
"tags": {},
"tags_all": {},
"vpc_id": true
},
"before_sensitive": false,
"after_sensitive": {
"egress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [
false
],
"prefix_list_ids": [],
"security_groups": []
}
],
"ingress": [
{
"cidr_blocks": [
false
],
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"security_groups": []
}
],
"tags": {},
"tags_all": {}
}
}
}
],
"configuration": {
"root_module": {
"resources": [
{
"address": "aws_security_group.invalid",
"mode": "managed",
"type": "aws_security_group",
"name": "invalid",
"provider_config_key": "aws",
"expressions": {
"description": {
"constant_value": "invalid"
},
"egress": {
"constant_value": [
{
"cidr_blocks": [
"0.0.0.0/0"
],
"description": null,
"from_port": 0,
"ipv6_cidr_blocks": [
"::/0"
],
"prefix_list_ids": null,
"protocol": "-1",
"security_groups": null,
"self": null,
"to_port": 0
}
]
},
"ingress": {
"constant_value": [
{
"cidr_blocks": [
"192.168.0.0/24"
],
"description": "invalid",
"from_port": 443,
"ipv6_cidr_blocks": null,
"prefix_list_ids": null,
"protocol": "tcp",
"security_groups": null,
"self": null,
"to_port": 443
}
]
},
"name": {
"constant_value": "invalid"
},
"tags": {
"constant_value": {
"Name": "invalid"
}
},
"vpc_id": {
"references": [
"aws_vpc.vpc-a.id",
"aws_vpc.vpc-a"
]
}
},
"schema_version": 1
}
]
}
}
}
Loading

0 comments on commit 4c4c625

Please sign in to comment.