fix: allow access to '..' in mapfs

[nikpivkin]

Description

The path “../” becomes “..” after cleaning, causing the MapFS check that the path lies outside FS to fail.

Before

trivy conf test/main.tf
2024-09-23T16:44:35+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-09-23T16:44:37+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-09-23T16:44:37+06:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="file does not exist"
2024-09-23T16:44:37+06:00       INFO    Detected config files   num=1

After

./trivy conf test/main.tf
2024-09-23T17:23:36+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-09-23T17:23:37+06:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-09-23T17:23:37+06:00       INFO    Detected config files   num=2

../main.tf (terraform)

Tests: 10 (SUCCESSES: 1, FAILURES: 9, EXCEPTIONS: 0)
Failures: 9 (UNKNOWN: 0, LOW: 2, MEDIUM: 1, HIGH: 6, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ../main.tf:1-3
   via main.tf:1-4 (module.test)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1 ┌ resource "aws_s3_bucket" "name" {
   2 │   bucket = "root"
   3 └ }
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
....

Related issues

• Close bug(terraform): Trivy does not load a module from the parent directory #7535

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

Suggested change

	return strings.HasPrefix(name, "..") && m.underlyingRoot != ""
	return (name == ".." || strings.HasPrefix(name, "../")) && m.underlyingRoot != ""

A regular file can have .. prefix.

$ touch ..foo
$ ls -al
total 0
drwxr-xr-x  3 teppei   96  9 25 11:06 ./
drwxrwxrwt 37 root   1184  9 25 11:06 ../
-rw-r--r--  1 teppei    0  9 25 11:06 ..foo

[nikpivkin]

Fixed a002320

[knqyf263]

Is there any reason why testdata is used? Can we use filepath.Join(t.TempDir(), "subdir"?

[nikpivkin]

The testdata/subdir contains some files to which access is tested.

[knqyf263]

OK, thanks.

[knqyf263]

OK, thanks.