feat(query): Added Passwords And Secrets In URL common query #2785 (#…

…3459)

Signed-off-by: João Reigota <[email protected]>

assets/queries/common/passwords_and_secrets_in_url/metadata.json

@@ -0,0 +1,9 @@
+{
+  "id": "c09239d5-29d3-4dca-b829-f5553e6c0578",
+  "queryName": "Passwords And Secrets In URL",
+  "severity": "HIGH",
+  "category": "Secret Management",
+  "descriptionText": "Query to find passwords and secrets in URL",
+  "descriptionUrl": "https://kics.io/",
+  "platform": "Common"
+}

assets/queries/common/passwords_and_secrets_in_url/query.rego

@@ -0,0 +1,82 @@
+package Cx
+
+import data.generic.common as commonLib
+
+# search for harcoded secrets by looking for their values with a special chars and length
+CxPolicy[result] {
+	docs := input.document[_]
+
+	[path, value] = walk(docs)
+	is_string(value)
+	checkObjects := prepare_object(path[minus(count(path), 1)], value)
+	checkObject := checkObjects[_]
+	check_vulnerability(checkObject)
+	allPath := [x | merge_path(path[i]) != ""; x := merge_path(path[i])]
+	result := {
+		"documentId": docs.id,
+		"searchKey": resolve_path(checkObject, allPath, value),
+		"issueType": "RedundantAttribute",
+		"keyExpectedValue": "Hardcoded secret key should not appear in source",
+		"keyActualValue": value,
+	}
+}
+
+merge_path(pathItem) = item {
+	not is_string(pathItem)
+	item := ""
+} else = item {
+	clearParse := ["playbooks", "tasks", "command", "original"]
+	commonLib.equalsOrInArray(clearParse, lower(pathItem))
+	item := ""
+} else = item {
+	contains(pathItem, ".")
+	item := sprintf("{{%s}}", [pathItem])
+} else = item {
+	item := pathItem
+}
+
+resolve_path(obj, path, value) = resolved {
+	obj.id != ""
+	resolved := sprintf("FROM=%s.{{%s}}", [concat(".", path), obj.id])
+} else = resolved {
+	resolved := sprintf("%s=%s", [concat(".", path), value])
+}
+
+prepare_object(key, value) = obj {
+	#dockerfile
+	key == "Original"
+	args := split(value, " ")
+	obj := [x | x := create_docker_object(args[_], value)]
+} else = obj {
+	obj := [{
+		"key": key,
+		"value": value,
+		"id": "",
+	}]
+}
+
+create_docker_object(value, original) = obj {
+	contains(value, "=")
+	splitted := split(value, "=")
+	count(splitted) > 1
+	k := splitted[0]
+	is_string(k)
+	v := concat("", array.slice(splitted, 1, count(splitted)))
+	obj := {
+		"key": k,
+		"value": replace(v, "\"", ""),
+		"id": original,
+	}
+}
+
+check_vulnerability(correctStrings) {
+	# password in url
+	count(regex.find_n("^[a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s]*", correctStrings.value, -1)) > 0
+	true
+} else {
+	# slack webhook
+	count(regex.find_n("^https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", correctStrings.value, -1)) > 0
+} else {
+	# teams webhook
+	count(regex.find_n("^https://[a-zA-Z0-9_]{1,24}\\.webhook\\.office\\.com/webhookb2/[a-zA-Z0-9-]+(@[a-zA-Z0-9-]+)?/IncomingWebhook/[a-zA-Z0-9]+/[a-zA-Z0-9-]+", correctStrings.value, -1)) > 0
+}

assets/queries/common/passwords_and_secrets_in_url/test/negative1.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ClusterIssuer
+metadata:
+  name: checkmarx
+  namespace: cx
+spec:
+  acme:
+    server: https://check-v02.api.cx.org/directory
+    privateKeySecretRef:
+      name: cx-prod-site
+    solvers:
+      - http01:
+          ingress:
+            class: nginx

assets/queries/common/passwords_and_secrets_in_url/test/negative2.yaml

@@ -0,0 +1,9 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  myStackWithParams:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://s3.amazonaws.com/cloudformation-templates-us-east-2/EC2ChooseAMI.template
+      Parameters:
+        InstanceType: t1.micro
+        KeyName: mykey

assets/queries/common/passwords_and_secrets_in_url/test/negative3.yaml

@@ -0,0 +1,5 @@
+- name: Download foo.conf
+  get_url:
+    url: http://example.com/path/file.conf
+    dest: /etc/foo.conf
+    mode: "0440"

assets/queries/common/passwords_and_secrets_in_url/test/negative4.tf

@@ -0,0 +1,26 @@
+data "http" "example" {
+  url = "https://checkpoint-api.hashicorp.com/v1/check/terraform"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "example_2" {
+  url = "https://checkpoint-api.hashicorp.com/v1/check/terraform"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "example_3" {
+  url = "https://checkpoint-api.hashicorp.com/v1/check/terraform"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}

assets/queries/common/passwords_and_secrets_in_url/test/negative5.dockerfile

@@ -0,0 +1,3 @@
+FROM baseImage
+
+RUN command

assets/queries/common/passwords_and_secrets_in_url/test/negative6.json

@@ -0,0 +1,14 @@
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0"
+  },
+  "paths": {},
+  "servers": [
+    {
+      "url": "https://my.api.server.com/",
+      "description": "My API Server 1"
+    }
+  ]
+}

assets/queries/common/passwords_and_secrets_in_url/test/positive1.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ClusterIssuer
+metadata:
+  name: checkmarx
+  namespace: cx
+spec:
+  acme:
+    server: http://bob:[email protected]/some/path
+    privateKeySecretRef:
+      name: cx-prod-site
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+  acme_2:
+    server: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+    privateKeySecretRef:
+      name: cx-prod-site-2
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+  acme_3:
+    server: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18
+    privateKeySecretRef:
+      name: cx-prod-site-3
+    solvers:
+      - http01:
+          ingress:
+            class: nginx

assets/queries/common/passwords_and_secrets_in_url/test/positive2.yaml

@@ -0,0 +1,23 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:
+  myStackWithParams:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: http://bob:[email protected]/some/path
+      Parameters:
+        InstanceType: t1.micro
+        KeyName: mykey
+  myStackWithParams_1:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+      Parameters:
+        InstanceType: t1.micro
+        KeyName: mykey
+  myStackWithParams_2:
+    Type: AWS::CloudFormation::Stack
+    Properties:
+      TemplateURL: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18
+      Parameters:
+        InstanceType: t1.micro
+        KeyName: mykey

assets/queries/common/passwords_and_secrets_in_url/test/positive3.yaml

@@ -0,0 +1,17 @@
+- name: example
+  get_url:
+    url: http://bob:[email protected]/some/path
+    dest: /etc/foo.conf
+    mode: "0440"
+
+- name: example_2
+  get_url:
+    url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+    dest: /etc/foo.conf
+    mode: "0440"
+
+- name: example_3
+  get_url:
+    url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18
+    dest: /etc/foo.conf
+    mode: "0440"

assets/queries/common/passwords_and_secrets_in_url/test/positive4.tf

@@ -0,0 +1,26 @@
+data "http" "example" {
+  url = "http://bob:[email protected]/some/path"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "example_2" {
+  url = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+
+data "http" "example_3" {
+  url = "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18"
+
+  # Optional request headers
+  request_headers = {
+    Accept = "application/json"
+  }
+}

assets/queries/common/passwords_and_secrets_in_url/test/positive5.dockerfile

@@ -0,0 +1,4 @@
+FROM test2
+ARG url="http://bob:[email protected]/some/path"
+ARG url2="https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
+ARG url3="https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18"

assets/queries/common/passwords_and_secrets_in_url/test/positive6.yaml

@@ -0,0 +1,12 @@
+openapi: 3.0.0
+info:
+  title: Simple API Overview
+  version: 1.0.0
+paths: {}
+servers:
+  - url: http://bob:[email protected]/some/path
+    description: My API Server 1
+  - url: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+    description: My API Server 2
+  - url: https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18
+    description: My API Server 3

assets/queries/common/passwords_and_secrets_in_url/test/positive7.json

@@ -0,0 +1,35 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "myStackWithParams": {
+      "Type": "AWS::CloudFormation::Stack",
+      "Properties": {
+        "TemplateURL": "http://bob:[email protected]/some/path",
+        "Parameters": {
+          "InstanceType": "t1.micro",
+          "KeyName": "mykey"
+        }
+      }
+    },
+    "myStackWithParams_1": {
+      "Type": "AWS::CloudFormation::Stack",
+      "Properties": {
+        "TemplateURL": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
+        "Parameters": {
+          "InstanceType": "t1.micro",
+          "KeyName": "mykey"
+        }
+      }
+    },
+    "myStackWithParams_2": {
+      "Type": "AWS::CloudFormation::Stack",
+      "Properties": {
+        "TemplateURL": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18",
+        "Parameters": {
+          "InstanceType": "t1.micro",
+          "KeyName": "mykey"
+        }
+      }
+    }
+  }
+}

assets/queries/common/passwords_and_secrets_in_url/test/positive8.json

@@ -0,0 +1,22 @@
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0"
+  },
+  "paths": {},
+  "servers": [
+    {
+      "url": "http://bob:[email protected]/some/path",
+      "description": "My API Server 1"
+    },
+    {
+      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
+      "description": "My API Server 2"
+    },
+    {
+      "url": "https://team_name.webhook.office.com/webhookb2/7aa49aa6-7840-443d-806c-08ebe8f59966@c662313f-14fc-43a2-9a7a-d2e27f4f3478/IncomingWebhook/8592f62b50cf41b9b93ba0c0a00a0b88/eff4cd58-1bb8-4899-94de-795f656b4a18",
+      "description": "My API Server 3"
+    }
+  ]
+}