Merge pull request #7030 from Checkmarx/fix-storageblob-query

fix(query): added missing case to storage blob query
Checkmarx · May 3, 2024 · 61c6bd9 · 61c6bd9
2 parents 9ba017f + c39a918
commit 61c6bd9
Show file tree

Hide file tree

Showing 3 changed files with 140 additions and 0 deletions.
diff --git a/...queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego b/...queries/azureResourceManager/storage_blob_service_container_with_public_access/query.rego
@@ -73,3 +73,32 @@ CxPolicy[result] {
 		"searchLine": common_lib.build_search_line(childPath, ["properties", "publicAccess"]),
 	}
 }
+
+
+
+CxPolicy[result] {
+	doc := input.document[i]
+
+	[path, value] = walk(doc)
+	value.type == "Microsoft.Storage/storageAccounts"
+
+	[childPath, childValue] := walk(value.resources)
+	childValue.type == "blobServices"
+
+	[subchildPath, subchildValue] := walk(childValue.resources)
+	subchildValue.type == "containers"
+
+	[val, val_type] := arm_lib.getDefaultValueFromParametersIfPresent(doc, subchildValue.properties.publicAccess)
+	val == publicOptions[o]
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": value.type,
+		"resourceName": value.name,
+        "searchKey": sprintf("%s.name=%s.resources.name=%s.resources.name=%s.properties.publicAccess", [common_lib.concat_path(path), value.name, childValue.name, subchildValue.name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("resource with type 'containers' shouldn't have 'publicAccess' %s set to 'Container' or 'Blob'", [val_type]),
+		"keyActualValue": sprintf("resource with type 'containers' has 'publicAccess' property set to '%s'", [publicOptions[o]]),
+		"searchLine": common_lib.build_search_line(path, ["resources", childPath[0], "resources", subchildPath[0], "properties", "publicAccess"]),
+	}
+}
diff --git a/...zureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json b/...zureResourceManager/storage_blob_service_container_with_public_access/test/positive7.json
@@ -0,0 +1,105 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "existingVNETName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the virtual network to use for cloud shell containers."
+      }
+    },
+    "existingStorageSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the subnet to use for storage account."
+      }
+    },
+    "existingContainerSubnetName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the subnet to use for cloud shell containers."
+      }
+    },
+    "storageAccountName": {
+      "type": "string",
+      "metadata": {
+        "description": "Name of the storage account in subnet."
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    }
+  },
+  "variables": {
+    "containerSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingContainerSubnetName'))]",
+    "storageSubnetRef": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('existingVNETName'), parameters('existingStorageSubnetName'))]"
+  },
+  "resources": [
+    {
+      "type": "Microsoft.Storage/storageAccounts",
+      "apiVersion": "2019-06-01",
+      "name": "[parameters('storageAccountName')]",
+      "location": "[parameters('location')]",
+      "sku": {
+        "name": "Standard_LRS",
+        "tier": "Standard"
+      },
+      "kind": "StorageV2",
+      "properties": {
+        "networkAcls": {
+          "defaultAction": "Deny"
+        },
+        "supportsHttpsTrafficOnly": true,
+        "encryption": {
+          "services": {
+            "file": {
+              "keyType": "Account",
+              "enabled": true
+            },
+            "blob": {
+              "keyType": "Account",
+              "enabled": true
+            }
+          },
+          "keySource": "Microsoft.Storage"
+        },
+        "accessTier": "Cool"
+      },
+      "resources": [
+        {
+          "type": "blobServices",
+          "apiVersion": "2019-06-01",
+          "name": "[concat(parameters('storageAccountName'), '/default')]",
+          "dependsOn": [
+            "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName'))]"
+          ],
+          "sku": {
+            "name": "Standard_LRS",
+            "tier": "Standard"
+          },
+          "properties": {
+            "deleteRetentionPolicy": {
+              "enabled": false
+            }
+          },
+          "resources": [
+            {
+              "type": "containers",
+              "apiVersion": "2019-06-01",
+              "name": "container",
+              "properties": {
+                "denyEncryptionScopeOverride": true,
+                "publicAccess": "Blob",
+                "metadata": {}
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/...ager/storage_blob_service_container_with_public_access/test/positive_expected_result.json b/...ager/storage_blob_service_container_with_public_access/test/positive_expected_result.json
@@ -34,5 +34,11 @@
     "severity": "HIGH",
     "line": 52,
     "fileName": "positive6.json"
+  },
+  {
+    "queryName": "Storage Blob Service Container With Public Access",
+    "severity": "HIGH",
+    "line": 96,
+    "fileName": "positive7.json"
   }
 ]