Skip to content

Commit

Permalink
fix(misconf): Escape template value correctly (aquasecurity#6292)
Browse files Browse the repository at this point in the history
Signed-off-by: Simar <simar@linux.com>
  • Loading branch information
simar7 authored Apr 3, 2024
1 parent 8dd0fcd commit 1c49a16
Show file tree
Hide file tree
Showing 4 changed files with 580 additions and 59 deletions.
131 changes: 80 additions & 51 deletions pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,19 @@ import (
"github.com/stretchr/testify/require"
)

func Test_OptionWithPolicyDirs_OldRegoMetadata(t *testing.T) {
b, _ := os.ReadFile("test/testdata/plan.json")
fs := testutil.CreateFS(t, map[string]string{
"/code/main.tfplan.json": string(b),
"/rules/test.rego": `
func Test_TerraformScanner(t *testing.T) {
t.Parallel()

testCases := []struct {
name string
inputFile string
inputRego string
options []options.ScannerOption
}{
{
name: "old rego metadata",
inputFile: "test/testdata/plan.json",
inputRego: `
package defsec.abcdefg
__rego_metadata__ := {
Expand All @@ -43,36 +51,46 @@ deny[cause] {
cause := bucket.name
}
`,
})

debugLog := bytes.NewBuffer([]byte{})
scanner := New(
options.ScannerWithDebug(debugLog),
options.ScannerWithPolicyFilesystem(fs),
options.ScannerWithPolicyDirs("rules"),
options.ScannerWithRegoOnly(true),
options.ScannerWithEmbeddedPolicies(false),
)

results, err := scanner.ScanFS(context.TODO(), fs, "code")
require.NoError(t, err)

require.Len(t, results.GetFailed(), 1)

failure := results.GetFailed()[0]
options: []options.ScannerOption{
options.ScannerWithPolicyDirs("rules"),
options.ScannerWithRegoOnly(true),
options.ScannerWithEmbeddedPolicies(false)},
},
{
name: "with user namespace",
inputFile: "test/testdata/plan.json",
inputRego: `
# METADATA
# title: Bad buckets are bad
# description: Bad buckets are bad because they are not good.
# scope: package
# schemas:
# - input: schema["input"]
# custom:
# avd_id: AVD-TEST-0123
# severity: CRITICAL
# short_code: very-bad-misconfig
# recommended_action: "Fix the s3 bucket"
assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
if t.Failed() {
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
}
package user.foobar.ABC001
deny[cause] {
bucket := input.aws.s3.buckets[_]
bucket.name.value == "tfsec-plan-testing"
cause := bucket.name
}

func Test_OptionWithPolicyDirs_WithUserNamespace(t *testing.T) {
b, _ := os.ReadFile("test/testdata/plan.json")
fs := testutil.CreateFS(t, map[string]string{
"/code/main.tfplan.json": string(b),
"/rules/test.rego": `
`,
options: []options.ScannerOption{
options.ScannerWithPolicyDirs("rules"),
options.ScannerWithRegoOnly(true),
options.ScannerWithEmbeddedPolicies(false),
options.ScannerWithPolicyNamespaces("user"),
},
},
{
name: "with templated plan json",
inputFile: "test/testdata/plan_with_template.json",
inputRego: `
# METADATA
# title: Bad buckets are bad
# description: Bad buckets are bad because they are not good.
Expand All @@ -89,32 +107,43 @@ package user.foobar.ABC001
deny[cause] {
bucket := input.aws.s3.buckets[_]
bucket.name.value == "tfsec-plan-testing"
bucket.name.value == "${template-name-is-$evil}"
cause := bucket.name
}
`,
})
options: []options.ScannerOption{
options.ScannerWithPolicyDirs("rules"),
options.ScannerWithRegoOnly(true),
options.ScannerWithEmbeddedPolicies(false),
options.ScannerWithPolicyNamespaces("user"),
},
},
}

debugLog := bytes.NewBuffer([]byte{})
scanner := New(
options.ScannerWithDebug(debugLog),
options.ScannerWithPolicyFilesystem(fs),
options.ScannerWithPolicyDirs("rules"),
options.ScannerWithRegoOnly(true),
options.ScannerWithPolicyNamespaces("user"),
options.ScannerWithEmbeddedPolicies(false),
)
for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
b, _ := os.ReadFile(tc.inputFile)
fs := testutil.CreateFS(t, map[string]string{
"/code/main.tfplan.json": string(b),
"/rules/test.rego": tc.inputRego,
})

results, err := scanner.ScanFS(context.TODO(), fs, "code")
require.NoError(t, err)
debugLog := bytes.NewBuffer([]byte{})
so := append(tc.options, options.ScannerWithDebug(debugLog), options.ScannerWithPolicyFilesystem(fs))
scanner := New(so...)

require.Len(t, results.GetFailed(), 1)
results, err := scanner.ScanFS(context.TODO(), fs, "code")
require.NoError(t, err)

failure := results.GetFailed()[0]
require.Len(t, results.GetFailed(), 1)

assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
if t.Failed() {
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
}
failure := results.GetFailed()[0]

assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
if t.Failed() {
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
}
})
}
}
1 change: 0 additions & 1 deletion pkg/iac/scanners/terraformplan/tfjson/test/parser_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
)

func Test_Parse_Plan_File(t *testing.T) {

planFile, err := parser.New().ParseFile("testdata/plan.json")
require.NoError(t, err)

Expand Down
Loading

0 comments on commit 1c49a16

Please sign in to comment.