From a4dadd01aec55efa96da1760a9d8b56d246add4c Mon Sep 17 00:00:00 2001
From: Florian Ruechel <fruechel@canva.com>
Date: Fri, 13 Dec 2024 11:50:43 +1030
Subject: [PATCH] Add exclusion patterns for curl-unecrypted-url

curl-unecrypted-url produces a lot of false positives on repositories
with lots of cloud infrastructure code for AWS or GCP. These providers
use link local URLs via HTTP without TLS. This is equivalent to
localhost patterns.
---
 generic/curl-unencrypted-url.sh   | 8 +++++++-
 generic/curl-unencrypted-url.yaml | 2 ++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/generic/curl-unencrypted-url.sh b/generic/curl-unencrypted-url.sh
index 39b5006..e329a00 100644
--- a/generic/curl-unencrypted-url.sh
+++ b/generic/curl-unencrypted-url.sh
@@ -13,4 +13,10 @@ curl https://google.com > /dev/null
 curl http://localhost > /dev/null
 
 # ok: curl-unencrypted-url
-curl http://127.0.0.1 > /dev/null
\ No newline at end of file
+curl http://127.0.0.1 > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://169.254.169.254 > /dev/null
+
+# ok: curl-unencrypted-url
+curl http://metadata.google.internal > /dev/null
diff --git a/generic/curl-unencrypted-url.yaml b/generic/curl-unencrypted-url.yaml
index ea29409..4007a3e 100644
--- a/generic/curl-unencrypted-url.yaml
+++ b/generic/curl-unencrypted-url.yaml
@@ -19,3 +19,5 @@ rules:
           - pattern: curl ... ftp://
       - pattern-not-inside: curl ... http://127.0.0.1
       - pattern-not-inside: curl ... http://localhost
+      - pattern-not-inside: curl ... http://169.254.169.254
+      - pattern-not-inside: curl ... http://metadata.google.internal