fix: Fix S3 public access block linking (#899)

fix: Fix S£ public access block linking
aquasecurity · Aug 22, 2022 · d9e802e · d9e802e
1 parent 75bc02b
commit d9e802e
Show file tree

Hide file tree

Showing 4 changed files with 146 additions and 3 deletions.
diff --git a/internal/adapters/terraform/aws/s3/public_access_block.go b/internal/adapters/terraform/aws/s3/public_access_block.go
@@ -23,7 +23,7 @@ func (a *adapter) adaptPublicAccessBlocks() {
 				if bucket, ok := a.bucketMap[referencedBlock.ID()]; ok {
 					bucket.PublicAccessBlock = &pba
 					a.bucketMap[referencedBlock.ID()] = bucket
-					break
+					continue
 				}
 			}
 		}
@@ -33,7 +33,7 @@ func (a *adapter) adaptPublicAccessBlocks() {
 				if bucketAttr.Equals(id) || bucket.Name.EqualTo(bucketName) {
 					bucket.PublicAccessBlock = &pba
 					a.bucketMap[id] = bucket
-					break
+					continue
 				}
 			}
 		}

diff --git a/pkg/scanners/terraform/parser/load_blocks.go b/pkg/scanners/terraform/parser/load_blocks.go
@@ -53,7 +53,7 @@ func parseIgnores(data []byte, path string, moduleSource string) []terraform.Ign
 
 }
 
-var commentPattern = regexp.MustCompile(`^\s*([/]+|/\*|#)\s*tfsec:`)
+var commentPattern = regexp.MustCompile(`^\s*([/]+|/\*|#)+\s*tfsec:`)
 
 func parseIgnoresFromLine(input string) []terraform.Ignore {
 

diff --git a/pkg/scanners/terraform/parser/load_blocks_test.go b/pkg/scanners/terraform/parser/load_blocks_test.go
@@ -0,0 +1,13 @@
+package parser
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParsingDoubleComment(t *testing.T) {
+	ignores := parseIgnoresFromLine("## tfsec:ignore:abc")
+	assert.Equal(t, 1, len(ignores))
+	assert.Truef(t, ignores[0].Block, "Expected ignore to be a block")
+}
diff --git a/pkg/scanners/terraform/scanner_test.go b/pkg/scanners/terraform/scanner_test.go
@@ -633,3 +633,133 @@ deny[res] {
 		fmt.Printf("Debug logs:\n%s\n", debugLog.String())
 	}
 }
+
+func Test_S3_Linking(t *testing.T) {
+
+	code := `
+## tfsec:ignore:aws-s3-enable-bucket-encryption
+## tfsec:ignore:aws-s3-enable-bucket-logging
+## tfsec:ignore:aws-s3-enable-versioning
+resource "aws_s3_bucket" "blubb" {
+  bucket = "test"
+}
+
+resource "aws_s3_bucket_public_access_block" "audit_logs_athena" {
+  bucket = aws_s3_bucket.blubb.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+# tfsec:ignore:aws-s3-enable-bucket-encryption
+# tfsec:ignore:aws-s3-enable-bucket-logging
+# tfsec:ignore:aws-s3-enable-versioning
+resource "aws_s3_bucket" "foo" {
+  bucket        = "prefix-" # remove this variable and it works; does not report
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "foo" {
+  bucket = aws_s3_bucket.foo.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+`
+
+	fs := testutil.CreateFS(t, map[string]string{
+		"code/main.tf": code,
+	})
+
+	debugLog := bytes.NewBuffer([]byte{})
+	scanner := New(
+		options.ScannerWithDebug(debugLog),
+	)
+
+	results, err := scanner.ScanFS(context.TODO(), fs, "code")
+	require.NoError(t, err)
+
+	failed := results.GetFailed()
+	for _, result := range failed {
+		// public access block
+		assert.NotEqual(t, "AVD-AWS-0094", result.Rule().AVDID, "AVD-AWS-0094 should not be reported - was found at "+result.Metadata().Range().String())
+		// encryption
+		assert.NotEqual(t, "AVD-AWS-0088", result.Rule().AVDID)
+		// logging
+		assert.NotEqual(t, "AVD-AWS-0089", result.Rule().AVDID)
+		// versioning
+		assert.NotEqual(t, "AVD-AWS-0090", result.Rule().AVDID)
+	}
+
+	if t.Failed() {
+		fmt.Printf("Debug logs:\n%s\n", debugLog.String())
+	}
+}
+
+func Test_S3_Linking_PublicAccess(t *testing.T) {
+
+	code := `
+resource "aws_s3_bucket" "testA" {
+  bucket = "com.test.testA"
+}
+
+resource "aws_s3_bucket_acl" "testA" {
+  bucket = aws_s3_bucket.testA.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "testA" {
+  bucket = aws_s3_bucket.testA.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket" "testB" {
+  bucket = "com.test.testB"
+}
+
+resource "aws_s3_bucket_acl" "testB" {
+  bucket = aws_s3_bucket.testB.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_public_access_block" "testB" {
+  bucket = aws_s3_bucket.testB.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+`
+
+	fs := testutil.CreateFS(t, map[string]string{
+		"code/main.tf": code,
+	})
+
+	debugLog := bytes.NewBuffer([]byte{})
+	scanner := New(
+		options.ScannerWithDebug(debugLog),
+	)
+
+	results, err := scanner.ScanFS(context.TODO(), fs, "code")
+	require.NoError(t, err)
+
+	for _, result := range results.GetFailed() {
+		// public access block
+		assert.NotEqual(t, "AVD-AWS-0094", result.Rule().AVDID)
+	}
+
+	if t.Failed() {
+		fmt.Printf("Debug logs:\n%s\n", debugLog.String())
+	}
+}
-Original file line number
+Diff line change
@@ Expand Up @@
     }
-    var commentPattern = regexp.MustCompile(`^\s*([/]+|/\*|#)\s*tfsec:`)
+    var commentPattern = regexp.MustCompile(`^\s*([/]+|/\*|#)+\s*tfsec:`)
     func parseIgnoresFromLine(input string) []terraform.Ignore {
@@ Expand Down @@