Skip to content

Commit 1c49a16

Browse files
simar7simar7
authored
fix(misconf): Escape template value correctly (aquasecurity#6292)
Signed-off-by: Simar <[email protected]>
1 parent 8dd0fcd commit 1c49a16

File tree

4 files changed

+580
-59
lines changed

4 files changed

+580
-59
lines changed

pkg/iac/scanners/terraformplan/tfjson/scanner_test.go

Lines changed: 80 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,19 @@ import (
1313
"github.com/stretchr/testify/require"
1414
)
1515

16-
func Test_OptionWithPolicyDirs_OldRegoMetadata(t *testing.T) {
17-
b, _ := os.ReadFile("test/testdata/plan.json")
18-
fs := testutil.CreateFS(t, map[string]string{
19-
"/code/main.tfplan.json": string(b),
20-
"/rules/test.rego": `
16+
func Test_TerraformScanner(t *testing.T) {
17+
t.Parallel()
18+
19+
testCases := []struct {
20+
name string
21+
inputFile string
22+
inputRego string
23+
options []options.ScannerOption
24+
}{
25+
{
26+
name: "old rego metadata",
27+
inputFile: "test/testdata/plan.json",
28+
inputRego: `
2129
package defsec.abcdefg
2230
2331
__rego_metadata__ := {
@@ -43,36 +51,46 @@ deny[cause] {
4351
cause := bucket.name
4452
}
4553
`,
46-
})
47-
48-
debugLog := bytes.NewBuffer([]byte{})
49-
scanner := New(
50-
options.ScannerWithDebug(debugLog),
51-
options.ScannerWithPolicyFilesystem(fs),
52-
options.ScannerWithPolicyDirs("rules"),
53-
options.ScannerWithRegoOnly(true),
54-
options.ScannerWithEmbeddedPolicies(false),
55-
)
56-
57-
results, err := scanner.ScanFS(context.TODO(), fs, "code")
58-
require.NoError(t, err)
59-
60-
require.Len(t, results.GetFailed(), 1)
61-
62-
failure := results.GetFailed()[0]
54+
options: []options.ScannerOption{
55+
options.ScannerWithPolicyDirs("rules"),
56+
options.ScannerWithRegoOnly(true),
57+
options.ScannerWithEmbeddedPolicies(false)},
58+
},
59+
{
60+
name: "with user namespace",
61+
inputFile: "test/testdata/plan.json",
62+
inputRego: `
63+
# METADATA
64+
# title: Bad buckets are bad
65+
# description: Bad buckets are bad because they are not good.
66+
# scope: package
67+
# schemas:
68+
# - input: schema["input"]
69+
# custom:
70+
# avd_id: AVD-TEST-0123
71+
# severity: CRITICAL
72+
# short_code: very-bad-misconfig
73+
# recommended_action: "Fix the s3 bucket"
6374
64-
assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
65-
if t.Failed() {
66-
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
67-
}
75+
package user.foobar.ABC001
6876
77+
deny[cause] {
78+
bucket := input.aws.s3.buckets[_]
79+
bucket.name.value == "tfsec-plan-testing"
80+
cause := bucket.name
6981
}
70-
71-
func Test_OptionWithPolicyDirs_WithUserNamespace(t *testing.T) {
72-
b, _ := os.ReadFile("test/testdata/plan.json")
73-
fs := testutil.CreateFS(t, map[string]string{
74-
"/code/main.tfplan.json": string(b),
75-
"/rules/test.rego": `
82+
`,
83+
options: []options.ScannerOption{
84+
options.ScannerWithPolicyDirs("rules"),
85+
options.ScannerWithRegoOnly(true),
86+
options.ScannerWithEmbeddedPolicies(false),
87+
options.ScannerWithPolicyNamespaces("user"),
88+
},
89+
},
90+
{
91+
name: "with templated plan json",
92+
inputFile: "test/testdata/plan_with_template.json",
93+
inputRego: `
7694
# METADATA
7795
# title: Bad buckets are bad
7896
# description: Bad buckets are bad because they are not good.
@@ -89,32 +107,43 @@ package user.foobar.ABC001
89107
90108
deny[cause] {
91109
bucket := input.aws.s3.buckets[_]
92-
bucket.name.value == "tfsec-plan-testing"
110+
bucket.name.value == "${template-name-is-$evil}"
93111
cause := bucket.name
94112
}
95113
`,
96-
})
114+
options: []options.ScannerOption{
115+
options.ScannerWithPolicyDirs("rules"),
116+
options.ScannerWithRegoOnly(true),
117+
options.ScannerWithEmbeddedPolicies(false),
118+
options.ScannerWithPolicyNamespaces("user"),
119+
},
120+
},
121+
}
97122

98-
debugLog := bytes.NewBuffer([]byte{})
99-
scanner := New(
100-
options.ScannerWithDebug(debugLog),
101-
options.ScannerWithPolicyFilesystem(fs),
102-
options.ScannerWithPolicyDirs("rules"),
103-
options.ScannerWithRegoOnly(true),
104-
options.ScannerWithPolicyNamespaces("user"),
105-
options.ScannerWithEmbeddedPolicies(false),
106-
)
123+
for _, tc := range testCases {
124+
tc := tc
125+
t.Run(tc.name, func(t *testing.T) {
126+
b, _ := os.ReadFile(tc.inputFile)
127+
fs := testutil.CreateFS(t, map[string]string{
128+
"/code/main.tfplan.json": string(b),
129+
"/rules/test.rego": tc.inputRego,
130+
})
107131

108-
results, err := scanner.ScanFS(context.TODO(), fs, "code")
109-
require.NoError(t, err)
132+
debugLog := bytes.NewBuffer([]byte{})
133+
so := append(tc.options, options.ScannerWithDebug(debugLog), options.ScannerWithPolicyFilesystem(fs))
134+
scanner := New(so...)
110135

111-
require.Len(t, results.GetFailed(), 1)
136+
results, err := scanner.ScanFS(context.TODO(), fs, "code")
137+
require.NoError(t, err)
112138

113-
failure := results.GetFailed()[0]
139+
require.Len(t, results.GetFailed(), 1)
114140

115-
assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
116-
if t.Failed() {
117-
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
118-
}
141+
failure := results.GetFailed()[0]
119142

143+
assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
144+
if t.Failed() {
145+
fmt.Printf("Debug logs:\n%s\n", debugLog.String())
146+
}
147+
})
148+
}
120149
}

pkg/iac/scanners/terraformplan/tfjson/test/parser_test.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ import (
99
)
1010

1111
func Test_Parse_Plan_File(t *testing.T) {
12-
1312
planFile, err := parser.New().ParseFile("testdata/plan.json")
1413
require.NoError(t, err)
1514

0 commit comments

Comments
 (0)