-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into experimental-features
- Loading branch information
Showing
11 changed files
with
720 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
assets/queries/ansible/general/privilege_escalation_using_become_plugin/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"id": "0e75052f-cc02-41b8-ac39-a78017527e95", | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"category": "Access Control", | ||
"descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'", | ||
"descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/partial-become/#problematic-code", | ||
"platform": "Ansible", | ||
"descriptionID": "11502e38", | ||
"cloudProvider": "common" | ||
} | ||
|
68 changes: 68 additions & 0 deletions
68
assets/queries/ansible/general/privilege_escalation_using_become_plugin/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
package Cx | ||
|
||
import data.generic.ansible as ansLib | ||
import data.generic.common as commonLib | ||
|
||
CxPolicy[result] { | ||
playbook := input.document[i].playbooks[_] | ||
playbook.become == false | ||
commonLib.valid_key(playbook, "become_user") | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "n/a", | ||
"resourceName": "n/a", | ||
"searchKey": "become", | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), | ||
"keyActualValue": "'become' is set to 'false'", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
playbook := input.document[i].playbooks[_] | ||
not commonLib.valid_key(playbook, "become") | ||
commonLib.valid_key(playbook, "become_user") | ||
|
||
result := { | ||
"documentId": input.document[i].id, | ||
"resourceType": "n/a", | ||
"resourceName": "n/a", | ||
"searchKey": sprintf("become_user={{%s}}", [playbook.become_user]), | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [playbook.become_user]), | ||
"keyActualValue": "'become' is not defined", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
task := ansLib.tasks[id][t] | ||
task.become == false | ||
commonLib.valid_key(task, "become_user") | ||
|
||
result := { | ||
"documentId": id, | ||
"resourceType": "n/a", | ||
"resourceName": "n/a", | ||
"searchKey": sprintf("name={{%s}}.become_user={{%s}}.become", [task.name, task.become_user]), | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": sprintf("'become' should be to 'true' in order to perform an action with %s", [task.become_user]), | ||
"keyActualValue": "'become' is set to 'false'", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
task := ansLib.tasks[id][t] | ||
not commonLib.valid_key(task, "become") | ||
commonLib.valid_key(task, "become_user") | ||
|
||
result := { | ||
"documentId": id, | ||
"resourceType": "n/a", | ||
"resourceName": "n/a", | ||
"searchKey": sprintf("name={{%s}}.become_user={{%s}}", [task.name, task.become_user]), | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": sprintf("'become' should be defined and set to 'true' in order to perform an action with %s", [task.become_user]), | ||
"keyActualValue": "'become' is not defined", | ||
} | ||
} |
17 changes: 17 additions & 0 deletions
17
assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/negative1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
--- | ||
- hosts: localhost | ||
become_user: postgres | ||
become: true | ||
tasks: | ||
- name: some task | ||
ansible.builtin.command: whoamyou | ||
changed_when: false | ||
|
||
--- | ||
- hosts: localhost | ||
tasks: | ||
- name: become from the same scope | ||
ansible.builtin.command: whoami | ||
become: true | ||
become_user: postgres | ||
changed_when: false |
62 changes: 62 additions & 0 deletions
62
assets/queries/ansible/general/privilege_escalation_using_become_plugin/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
- hosts: localhost | ||
name: become_user without become | ||
become_user: bar | ||
|
||
tasks: | ||
- name: Simple hello | ||
ansible.builtin.debug: | ||
msg: hello | ||
|
||
--- | ||
- hosts: localhost | ||
name: become_user with become false | ||
become_user: root | ||
become: false | ||
|
||
tasks: | ||
- name: Simple hello | ||
ansible.builtin.debug: | ||
msg: hello | ||
|
||
--- | ||
- hosts: localhost | ||
tasks: | ||
- name: become and become_user on different tasks | ||
block: | ||
- name: Sample become | ||
become: true | ||
ansible.builtin.command: ls . | ||
- name: Sample become_user | ||
become_user: foo | ||
ansible.builtin.command: ls . | ||
|
||
--- | ||
- hosts: localhost | ||
tasks: | ||
- name: become false | ||
block: | ||
- name: Sample become | ||
become: true | ||
ansible.builtin.command: ls . | ||
- name: Sample become_user | ||
become_user: postgres | ||
become: false | ||
ansible.builtin.command: ls . | ||
|
||
--- | ||
- hosts: localhost | ||
tasks: | ||
- name: become_user with become task as false | ||
ansible.builtin.command: whoami | ||
become_user: mongodb | ||
become: false | ||
changed_when: false | ||
|
||
--- | ||
- hosts: localhost | ||
tasks: | ||
- name: become_user without become | ||
ansible.builtin.command: whoami | ||
become_user: mysql | ||
changed_when: false |
38 changes: 38 additions & 0 deletions
38
...sible/general/privilege_escalation_using_become_plugin/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
[ | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 4, | ||
"fileName": "positive1.yaml" | ||
}, | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 15, | ||
"fileName": "positive1.yaml" | ||
}, | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 31, | ||
"fileName": "positive1.yaml" | ||
}, | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 44, | ||
"fileName": "positive1.yaml" | ||
}, | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 53, | ||
"fileName": "positive1.yaml" | ||
}, | ||
{ | ||
"queryName": "Privilege Escalation Using Become Plugin", | ||
"severity": "MEDIUM", | ||
"line": 61, | ||
"fileName": "positive1.yaml" | ||
} | ||
] |
12 changes: 12 additions & 0 deletions
12
assets/queries/ansible/general/unpinned_package_version/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"id": "c05e2c20-0a2c-4686-b1f8-5f0a5612d4e8", | ||
"queryName": "Unpinned Package Version", | ||
"severity": "LOW", | ||
"category": "Supply-Chain", | ||
"descriptionText": "Setting state to latest performs an update and installs additional packages possibly resulting in performance degradation or loss of service", | ||
"descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/package-latest/", | ||
"platform": "Ansible", | ||
"descriptionID": "43e877b3", | ||
"cloudProvider": "common" | ||
} | ||
|
44 changes: 44 additions & 0 deletions
44
assets/queries/ansible/general/unpinned_package_version/query.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package Cx | ||
|
||
import data.generic.ansible as ansLib | ||
import data.generic.common as common_lib | ||
|
||
CxPolicy[result] { | ||
task := ansLib.tasks[id][_] | ||
package_installer := task[ansLib.installer_modules[m]] | ||
ansLib.checkState(package_installer) | ||
|
||
not common_lib.valid_key(package_installer, "version") | ||
not common_lib.valid_key(package_installer, "update_only") | ||
package_installer.state == "latest" | ||
|
||
result := { | ||
"documentId": id, | ||
"resourceType": ansLib.installer_modules[m], | ||
"resourceName": task.name, | ||
"searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", | ||
"keyActualValue": "State's task is set to 'latest'", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
task := ansLib.tasks[id][_] | ||
package_installer := task[ansLib.installer_modules[m]] | ||
ansLib.checkState(package_installer) | ||
|
||
not common_lib.valid_key(package_installer, "version") | ||
package_installer.update_only == false | ||
package_installer.state == "latest" | ||
|
||
result := { | ||
"documentId": id, | ||
"resourceType": ansLib.installer_modules[m], | ||
"resourceName": task.name, | ||
"searchKey": sprintf("name={{%s}}.{{%s}}.state", [task.name, ansLib.installer_modules[m]]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": "State's task when installing a package should not be defined as 'latest' or should have set 'update_only' to 'true'", | ||
"keyActualValue": "State's task is set to 'latest'", | ||
} | ||
} |
Oops, something went wrong.