From 9d2abdbe3ed94226d87d5006ed60efbfe3d65a06 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Fri, 20 Sep 2024 10:50:12 +0600 Subject: [PATCH] perf(misconf): use port ranges instead of enumeration (#7549) Signed-off-by: nikpivkin --- .../terraform/google/compute/adapt_test.go | 4 +- .../terraform/google/compute/networks.go | 39 +++++++++++-------- .../terraform/google/compute/networks_test.go | 18 +++++++-- pkg/iac/providers/google/compute/firewall.go | 8 +++- pkg/iac/rego/schemas/cloud.json | 39 ++++++++++++++++++- 5 files changed, 84 insertions(+), 24 deletions(-) diff --git a/pkg/iac/adapters/terraform/google/compute/adapt_test.go b/pkg/iac/adapters/terraform/google/compute/adapt_test.go index a90c4315364a..d5bbe5a8f566 100644 --- a/pkg/iac/adapters/terraform/google/compute/adapt_test.go +++ b/pkg/iac/adapters/terraform/google/compute/adapt_test.go @@ -184,8 +184,8 @@ func TestLines(t *testing.T) { assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetStartLine()) assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetEndLine()) - assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetStartLine()) - assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetEndLine()) + assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetStartLine()) + assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetEndLine()) assert.Equal(t, 64, network.Subnetworks[0].Metadata.Range().GetStartLine()) assert.Equal(t, 72, network.Subnetworks[0].Metadata.Range().GetEndLine()) diff --git a/pkg/iac/adapters/terraform/google/compute/networks.go b/pkg/iac/adapters/terraform/google/compute/networks.go index ea3c9cb97a5f..5ea8753d1f7f 100644 --- a/pkg/iac/adapters/terraform/google/compute/networks.go +++ b/pkg/iac/adapters/terraform/google/compute/networks.go @@ -105,44 +105,51 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) { return networks } -func expandRange(ports string, attr *terraform.Attribute) []iacTypes.IntValue { +func expandRange(ports string, meta iacTypes.Metadata) (compute.PortRange, bool) { ports = strings.ReplaceAll(ports, " ", "") if !strings.Contains(ports, "-") { i, err := strconv.Atoi(ports) if err != nil { - return nil - } - return []iacTypes.IntValue{ - iacTypes.Int(i, attr.GetMetadata()), + return compute.PortRange{}, false } + return compute.PortRange{ + Metadata: meta, + Start: iacTypes.Int(i, meta), + End: iacTypes.Int(i, meta), + }, true } parts := strings.Split(ports, "-") if len(parts) != 2 { - return nil + return compute.PortRange{}, false } start, err := strconv.Atoi(parts[0]) if err != nil { - return nil + return compute.PortRange{}, false } end, err := strconv.Atoi(parts[1]) if err != nil { - return nil - } - var output []iacTypes.IntValue - for i := start; i <= end; i++ { - output = append(output, iacTypes.Int(i, attr.GetMetadata())) + return compute.PortRange{}, false } - return output + + return compute.PortRange{ + Metadata: meta, + Start: iacTypes.Int(start, meta), + End: iacTypes.Int(end, meta), + }, true } func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *terraform.Block, allow bool) { protocolAttr := ruleBlock.GetAttribute("protocol") portsAttr := ruleBlock.GetAttribute("ports") - var ports []iacTypes.IntValue + var rngs []compute.PortRange rawPorts := portsAttr.AsStringValues() for _, portStr := range rawPorts { - ports = append(ports, expandRange(portStr.Value(), portsAttr)...) + rng, ok := expandRange(portStr.Value(), portsAttr.GetMetadata()) + if !ok { + continue + } + rngs = append(rngs, rng) } // ingress by default @@ -153,7 +160,7 @@ func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *ter Enforced: iacTypes.BoolDefault(true, firewallBlock.GetMetadata()), IsAllow: iacTypes.Bool(allow, ruleBlock.GetMetadata()), Protocol: protocolAttr.AsStringValueOrDefault("tcp", ruleBlock), - Ports: ports, + Ports: rngs, } disabledAttr := firewallBlock.GetAttribute("disabled") diff --git a/pkg/iac/adapters/terraform/google/compute/networks_test.go b/pkg/iac/adapters/terraform/google/compute/networks_test.go index 32ad00bc5334..df1cef261e7d 100644 --- a/pkg/iac/adapters/terraform/google/compute/networks_test.go +++ b/pkg/iac/adapters/terraform/google/compute/networks_test.go @@ -39,7 +39,7 @@ func Test_adaptNetworks(t *testing.T) { source_ranges = ["1.2.3.4/32"] allow { protocol = "icmp" - ports = ["80", "8080"] + ports = ["80", "8080", "9090-9095"] } } `, @@ -57,9 +57,19 @@ func Test_adaptNetworks(t *testing.T) { IsAllow: iacTypes.Bool(true, iacTypes.NewTestMetadata()), Protocol: iacTypes.String("icmp", iacTypes.NewTestMetadata()), Enforced: iacTypes.Bool(true, iacTypes.NewTestMetadata()), - Ports: []iacTypes.IntValue{ - iacTypes.Int(80, iacTypes.NewTestMetadata()), - iacTypes.Int(8080, iacTypes.NewTestMetadata()), + Ports: []compute.PortRange{ + { + Start: iacTypes.IntTest(80), + End: iacTypes.IntTest(80), + }, + { + Start: iacTypes.IntTest(8080), + End: iacTypes.IntTest(8080), + }, + { + Start: iacTypes.IntTest(9090), + End: iacTypes.IntTest(9095), + }, }, }, SourceRanges: []iacTypes.StringValue{ diff --git a/pkg/iac/providers/google/compute/firewall.go b/pkg/iac/providers/google/compute/firewall.go index c122369d9954..19f4044cdb72 100755 --- a/pkg/iac/providers/google/compute/firewall.go +++ b/pkg/iac/providers/google/compute/firewall.go @@ -18,7 +18,13 @@ type FirewallRule struct { Enforced iacTypes.BoolValue IsAllow iacTypes.BoolValue Protocol iacTypes.StringValue - Ports []iacTypes.IntValue + Ports []PortRange +} + +type PortRange struct { + Metadata iacTypes.Metadata + Start iacTypes.IntValue + End iacTypes.IntValue } type IngressRule struct { diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json index 530ba5bfaa1f..b034f24fa104 100644 --- a/pkg/iac/rego/schemas/cloud.json +++ b/pkg/iac/rego/schemas/cloud.json @@ -1615,10 +1615,18 @@ "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" } }, + "fromport": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + }, "protocol": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" }, + "toport": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + }, "type": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" @@ -1677,6 +1685,18 @@ "description": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" + }, + "fromport": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + }, + "protocol": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" + }, + "toport": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" } } }, @@ -6086,7 +6106,7 @@ "type": "array", "items": { "type": "object", - "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange" } }, "protocol": { @@ -6218,6 +6238,23 @@ } } }, + "github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange": { + "type": "object", + "properties": { + "__defsec_metadata": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.Metadata" + }, + "end": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + }, + "start": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.IntValue" + } + } + }, "github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.providers.google.compute.ProjectMetadata": { "type": "object", "properties": {