-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
…3459) Signed-off-by: João Reigota <[email protected]>
- Loading branch information
1 parent
9748012
commit cf7fc9d
Showing
17 changed files
with
477 additions
and
0 deletions.
There are no files selected for viewing
9 changes: 9 additions & 0 deletions
9
assets/queries/common/passwords_and_secrets_in_url/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"id": "c09239d5-29d3-4dca-b829-f5553e6c0578", | ||
"queryName": "Passwords And Secrets In URL", | ||
"severity": "HIGH", | ||
"category": "Secret Management", | ||
"descriptionText": "Query to find passwords and secrets in URL", | ||
"descriptionUrl": "https://kics.io/", | ||
"platform": "Common" | ||
} |
82 changes: 82 additions & 0 deletions
82
assets/queries/common/passwords_and_secrets_in_url/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
package Cx | ||
|
||
import data.generic.common as commonLib | ||
|
||
# search for harcoded secrets by looking for their values with a special chars and length | ||
CxPolicy[result] { | ||
docs := input.document[_] | ||
|
||
[path, value] = walk(docs) | ||
is_string(value) | ||
checkObjects := prepare_object(path[minus(count(path), 1)], value) | ||
checkObject := checkObjects[_] | ||
check_vulnerability(checkObject) | ||
allPath := [x | merge_path(path[i]) != ""; x := merge_path(path[i])] | ||
result := { | ||
"documentId": docs.id, | ||
"searchKey": resolve_path(checkObject, allPath, value), | ||
"issueType": "RedundantAttribute", | ||
"keyExpectedValue": "Hardcoded secret key should not appear in source", | ||
"keyActualValue": value, | ||
} | ||
} | ||
|
||
merge_path(pathItem) = item { | ||
not is_string(pathItem) | ||
item := "" | ||
} else = item { | ||
clearParse := ["playbooks", "tasks", "command", "original"] | ||
commonLib.equalsOrInArray(clearParse, lower(pathItem)) | ||
item := "" | ||
} else = item { | ||
contains(pathItem, ".") | ||
item := sprintf("{{%s}}", [pathItem]) | ||
} else = item { | ||
item := pathItem | ||
} | ||
|
||
resolve_path(obj, path, value) = resolved { | ||
obj.id != "" | ||
resolved := sprintf("FROM=%s.{{%s}}", [concat(".", path), obj.id]) | ||
} else = resolved { | ||
resolved := sprintf("%s=%s", [concat(".", path), value]) | ||
} | ||
|
||
prepare_object(key, value) = obj { | ||
#dockerfile | ||
key == "Original" | ||
args := split(value, " ") | ||
obj := [x | x := create_docker_object(args[_], value)] | ||
} else = obj { | ||
obj := [{ | ||
"key": key, | ||
"value": value, | ||
"id": "", | ||
}] | ||
} | ||
|
||
create_docker_object(value, original) = obj { | ||
contains(value, "=") | ||
splitted := split(value, "=") | ||
count(splitted) > 1 | ||
k := splitted[0] | ||
is_string(k) | ||
v := concat("", array.slice(splitted, 1, count(splitted))) | ||
obj := { | ||
"key": k, | ||
"value": replace(v, "\"", ""), | ||
"id": original, | ||
} | ||
} | ||
|
||
check_vulnerability(correctStrings) { | ||
# password in url | ||
count(regex.find_n("^[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]*", correctStrings.value, -1)) > 0 | ||
true | ||
} else { | ||
# slack webhook | ||
count(regex.find_n("^https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", correctStrings.value, -1)) > 0 | ||
} else { | ||
# teams webhook | ||
count(regex.find_n("^https://[a-zA-Z0-9_]{1,24}\\.webhook\\.office\\.com/webhookb2/[a-zA-Z0-9-]+(@[a-zA-Z0-9-]+)?/IncomingWebhook/[a-zA-Z0-9]+/[a-zA-Z0-9-]+", correctStrings.value, -1)) > 0 | ||
} |
14 changes: 14 additions & 0 deletions
14
assets/queries/common/passwords_and_secrets_in_url/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: checkmarx | ||
namespace: cx | ||
spec: | ||
acme: | ||
server: https://check-v02.api.cx.org/directory | ||
privateKeySecretRef: | ||
name: cx-prod-site | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: nginx |
9 changes: 9 additions & 0 deletions
9
assets/queries/common/passwords_and_secrets_in_url/test/negative2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
Resources: | ||
myStackWithParams: | ||
Type: AWS::CloudFormation::Stack | ||
Properties: | ||
TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template | ||
Parameters: | ||
InstanceType: t1.micro | ||
KeyName: mykey |
5 changes: 5 additions & 0 deletions
5
assets/queries/common/passwords_and_secrets_in_url/test/negative3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
- name: Download foo.conf | ||
get_url: | ||
url: http://example.com/path/file.conf | ||
dest: /etc/foo.conf | ||
mode: "0440" |
26 changes: 26 additions & 0 deletions
26
assets/queries/common/passwords_and_secrets_in_url/test/negative4.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
data "http" "example" { | ||
url = "https://checkpoint-api.hashicorp.com/v1/check/terraform" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} | ||
|
||
data "http" "example_2" { | ||
url = "https://checkpoint-api.hashicorp.com/v1/check/terraform" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} | ||
|
||
data "http" "example_3" { | ||
url = "https://checkpoint-api.hashicorp.com/v1/check/terraform" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} |
3 changes: 3 additions & 0 deletions
3
assets/queries/common/passwords_and_secrets_in_url/test/negative5.dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
FROM baseImage | ||
|
||
RUN command |
14 changes: 14 additions & 0 deletions
14
assets/queries/common/passwords_and_secrets_in_url/test/negative6.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{ | ||
"openapi": "3.0.0", | ||
"info": { | ||
"title": "Simple API Overview", | ||
"version": "1.0.0" | ||
}, | ||
"paths": {}, | ||
"servers": [ | ||
{ | ||
"url": "https://my.api.server.com/", | ||
"description": "My API Server 1" | ||
} | ||
] | ||
} |
30 changes: 30 additions & 0 deletions
30
assets/queries/common/passwords_and_secrets_in_url/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: checkmarx | ||
namespace: cx | ||
spec: | ||
acme: | ||
server: http://bob:[email protected]/some/path | ||
privateKeySecretRef: | ||
name: cx-prod-site | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: nginx | ||
acme_2: | ||
server: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX | ||
privateKeySecretRef: | ||
name: cx-prod-site-2 | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: nginx | ||
acme_3: | ||
server: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 | ||
privateKeySecretRef: | ||
name: cx-prod-site-3 | ||
solvers: | ||
- http01: | ||
ingress: | ||
class: nginx |
23 changes: 23 additions & 0 deletions
23
assets/queries/common/passwords_and_secrets_in_url/test/positive2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
AWSTemplateFormatVersion: "2010-09-09" | ||
Resources: | ||
myStackWithParams: | ||
Type: AWS::CloudFormation::Stack | ||
Properties: | ||
TemplateURL: http://bob:[email protected]/some/path | ||
Parameters: | ||
InstanceType: t1.micro | ||
KeyName: mykey | ||
myStackWithParams_1: | ||
Type: AWS::CloudFormation::Stack | ||
Properties: | ||
TemplateURL: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX | ||
Parameters: | ||
InstanceType: t1.micro | ||
KeyName: mykey | ||
myStackWithParams_2: | ||
Type: AWS::CloudFormation::Stack | ||
Properties: | ||
TemplateURL: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 | ||
Parameters: | ||
InstanceType: t1.micro | ||
KeyName: mykey |
17 changes: 17 additions & 0 deletions
17
assets/queries/common/passwords_and_secrets_in_url/test/positive3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
- name: example | ||
get_url: | ||
url: http://bob:[email protected]/some/path | ||
dest: /etc/foo.conf | ||
mode: "0440" | ||
|
||
- name: example_2 | ||
get_url: | ||
url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX | ||
dest: /etc/foo.conf | ||
mode: "0440" | ||
|
||
- name: example_3 | ||
get_url: | ||
url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 | ||
dest: /etc/foo.conf | ||
mode: "0440" |
26 changes: 26 additions & 0 deletions
26
assets/queries/common/passwords_and_secrets_in_url/test/positive4.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
data "http" "example" { | ||
url = "http://bob:[email protected]/some/path" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} | ||
|
||
data "http" "example_2" { | ||
url = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} | ||
|
||
data "http" "example_3" { | ||
url = "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18" | ||
|
||
# Optional request headers | ||
request_headers = { | ||
Accept = "application/json" | ||
} | ||
} |
4 changes: 4 additions & 0 deletions
4
assets/queries/common/passwords_and_secrets_in_url/test/positive5.dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
FROM test2 | ||
ARG url="http://bob:[email protected]/some/path" | ||
ARG url2="https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX" | ||
ARG url3="https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18" |
12 changes: 12 additions & 0 deletions
12
assets/queries/common/passwords_and_secrets_in_url/test/positive6.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
openapi: 3.0.0 | ||
info: | ||
title: Simple API Overview | ||
version: 1.0.0 | ||
paths: {} | ||
servers: | ||
- url: http://bob:[email protected]/some/path | ||
description: My API Server 1 | ||
- url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX | ||
description: My API Server 2 | ||
- url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18 | ||
description: My API Server 3 |
35 changes: 35 additions & 0 deletions
35
assets/queries/common/passwords_and_secrets_in_url/test/positive7.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"AWSTemplateFormatVersion": "2010-09-09", | ||
"Resources": { | ||
"myStackWithParams": { | ||
"Type": "AWS::CloudFormation::Stack", | ||
"Properties": { | ||
"TemplateURL": "http://bob:[email protected]/some/path", | ||
"Parameters": { | ||
"InstanceType": "t1.micro", | ||
"KeyName": "mykey" | ||
} | ||
} | ||
}, | ||
"myStackWithParams_1": { | ||
"Type": "AWS::CloudFormation::Stack", | ||
"Properties": { | ||
"TemplateURL": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX", | ||
"Parameters": { | ||
"InstanceType": "t1.micro", | ||
"KeyName": "mykey" | ||
} | ||
} | ||
}, | ||
"myStackWithParams_2": { | ||
"Type": "AWS::CloudFormation::Stack", | ||
"Properties": { | ||
"TemplateURL": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18", | ||
"Parameters": { | ||
"InstanceType": "t1.micro", | ||
"KeyName": "mykey" | ||
} | ||
} | ||
} | ||
} | ||
} |
22 changes: 22 additions & 0 deletions
22
assets/queries/common/passwords_and_secrets_in_url/test/positive8.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{ | ||
"openapi": "3.0.0", | ||
"info": { | ||
"title": "Simple API Overview", | ||
"version": "1.0.0" | ||
}, | ||
"paths": {}, | ||
"servers": [ | ||
{ | ||
"url": "http://bob:[email protected]/some/path", | ||
"description": "My API Server 1" | ||
}, | ||
{ | ||
"url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX", | ||
"description": "My API Server 2" | ||
}, | ||
{ | ||
"url": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18", | ||
"description": "My API Server 3" | ||
} | ||
] | ||
} |
Oops, something went wrong.