Skip to content

Commit

Permalink
perf(misconf): use port ranges instead of enumeration (aquasecurity#7549
Browse files Browse the repository at this point in the history
)

Signed-off-by: nikpivkin <[email protected]>
  • Loading branch information
nikpivkin authored and fhielpos committed Dec 20, 2024
1 parent efb0a0a commit 9d2abdb
Show file tree
Hide file tree
Showing 5 changed files with 84 additions and 24 deletions.
4 changes: 2 additions & 2 deletions pkg/iac/adapters/terraform/google/compute/adapt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,8 +184,8 @@ func TestLines(t *testing.T) {
assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetStartLine())
assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetEndLine())

assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetStartLine())
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetEndLine())
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetStartLine())
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetEndLine())

assert.Equal(t, 64, network.Subnetworks[0].Metadata.Range().GetStartLine())
assert.Equal(t, 72, network.Subnetworks[0].Metadata.Range().GetEndLine())
Expand Down
39 changes: 23 additions & 16 deletions pkg/iac/adapters/terraform/google/compute/networks.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,44 +105,51 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) {
return networks
}

func expandRange(ports string, attr *terraform.Attribute) []iacTypes.IntValue {
func expandRange(ports string, meta iacTypes.Metadata) (compute.PortRange, bool) {
ports = strings.ReplaceAll(ports, " ", "")
if !strings.Contains(ports, "-") {
i, err := strconv.Atoi(ports)
if err != nil {
return nil
}
return []iacTypes.IntValue{
iacTypes.Int(i, attr.GetMetadata()),
return compute.PortRange{}, false
}
return compute.PortRange{
Metadata: meta,
Start: iacTypes.Int(i, meta),
End: iacTypes.Int(i, meta),
}, true
}
parts := strings.Split(ports, "-")
if len(parts) != 2 {
return nil
return compute.PortRange{}, false
}
start, err := strconv.Atoi(parts[0])
if err != nil {
return nil
return compute.PortRange{}, false
}
end, err := strconv.Atoi(parts[1])
if err != nil {
return nil
}
var output []iacTypes.IntValue
for i := start; i <= end; i++ {
output = append(output, iacTypes.Int(i, attr.GetMetadata()))
return compute.PortRange{}, false
}
return output

return compute.PortRange{
Metadata: meta,
Start: iacTypes.Int(start, meta),
End: iacTypes.Int(end, meta),
}, true
}

func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *terraform.Block, allow bool) {
protocolAttr := ruleBlock.GetAttribute("protocol")
portsAttr := ruleBlock.GetAttribute("ports")

var ports []iacTypes.IntValue
var rngs []compute.PortRange
rawPorts := portsAttr.AsStringValues()
for _, portStr := range rawPorts {
ports = append(ports, expandRange(portStr.Value(), portsAttr)...)
rng, ok := expandRange(portStr.Value(), portsAttr.GetMetadata())
if !ok {
continue
}
rngs = append(rngs, rng)
}

// ingress by default
Expand All @@ -153,7 +160,7 @@ func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *ter
Enforced: iacTypes.BoolDefault(true, firewallBlock.GetMetadata()),
IsAllow: iacTypes.Bool(allow, ruleBlock.GetMetadata()),
Protocol: protocolAttr.AsStringValueOrDefault("tcp", ruleBlock),
Ports: ports,
Ports: rngs,
}

disabledAttr := firewallBlock.GetAttribute("disabled")
Expand Down
18 changes: 14 additions & 4 deletions pkg/iac/adapters/terraform/google/compute/networks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func Test_adaptNetworks(t *testing.T) {
source_ranges = ["1.2.3.4/32"]
allow {
protocol = "icmp"
ports = ["80", "8080"]
ports = ["80", "8080", "9090-9095"]
}
}
`,
Expand All @@ -57,9 +57,19 @@ func Test_adaptNetworks(t *testing.T) {
IsAllow: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Protocol: iacTypes.String("icmp", iacTypes.NewTestMetadata()),
Enforced: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
Ports: []iacTypes.IntValue{
iacTypes.Int(80, iacTypes.NewTestMetadata()),
iacTypes.Int(8080, iacTypes.NewTestMetadata()),
Ports: []compute.PortRange{
{
Start: iacTypes.IntTest(80),
End: iacTypes.IntTest(80),
},
{
Start: iacTypes.IntTest(8080),
End: iacTypes.IntTest(8080),
},
{
Start: iacTypes.IntTest(9090),
End: iacTypes.IntTest(9095),
},
},
},
SourceRanges: []iacTypes.StringValue{
Expand Down
8 changes: 7 additions & 1 deletion pkg/iac/providers/google/compute/firewall.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,13 @@ type FirewallRule struct {
Enforced iacTypes.BoolValue
IsAllow iacTypes.BoolValue
Protocol iacTypes.StringValue
Ports []iacTypes.IntValue
Ports []PortRange
}

type PortRange struct {
Metadata iacTypes.Metadata
Start iacTypes.IntValue
End iacTypes.IntValue
}

type IngressRule struct {
Expand Down
39 changes: 38 additions & 1 deletion pkg/iac/rego/schemas/cloud.json
Original file line number Diff line number Diff line change
Expand Up @@ -1615,10 +1615,18 @@
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
}
},
"fromport": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
},
"protocol": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"toport": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
},
"type": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
Expand Down Expand Up @@ -1677,6 +1685,18 @@
"description": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"fromport": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
},
"protocol": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue"
},
"toport": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
}
}
},
Expand Down Expand Up @@ -6086,7 +6106,7 @@
"type": "array",
"items": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange"
}
},
"protocol": {
Expand Down Expand Up @@ -6218,6 +6238,23 @@
}
}
},
"github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange": {
"type": "object",
"properties": {
"__defsec_metadata": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.Metadata"
},
"end": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
},
"start": {
"type": "object",
"$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue"
}
}
},
"github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.ProjectMetadata": {
"type": "object",
"properties": {
Expand Down

0 comments on commit 9d2abdb

Please sign in to comment.