From 8a4f87ed54ce5ec9ef72a6100b1aa055a3903a19 Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Wed, 26 Jul 2023 15:52:17 +0300 Subject: [PATCH 1/3] Support GCP IAM policy members as lists --- .../query.rego | 18 ++++++++++++++++++ .../test/positive3.tf | 15 +++++++++++++++ .../test/positive_expected_result.json | 6 ++++++ 3 files changed, 39 insertions(+) create mode 100644 assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego index 1cd89fcde30..a8949247051 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego @@ -21,6 +21,24 @@ CxPolicy[result] { } } +CxPolicy[result] { + resource := input.document[i].data.google_iam_policy[name] + + tf_lib.check_member(resource.binding[x], "serviceAccount:") + has_improperly_privileges(resource.binding[x].role) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_iam_policy", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": sprintf("google_iam_policy[%s].binding[%s].role", [name, format_int(x, 10)]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("google_iam_policy[%s].binding[%s].role should not have admin, editor, owner, or write privileges for service account member", [name, format_int(x, 10)]), + "keyActualValue": sprintf("google_iam_policy[%s].binding[%s].role has admin, editor, owner, or write privilege for service account member", [name, format_int(x, 10)]), + "searchLine": common_lib.build_search_line(["resource", "google_iam_policy", name, "binding", x, "role"], []), + } +} + CxPolicy[result] { resources := {"google_project_iam_binding", "google_project_iam_member"} resource := input.document[i].resource[resources[idx]][name] diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf new file mode 100644 index 00000000000..13d5a4b5123 --- /dev/null +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive3.tf @@ -0,0 +1,15 @@ +data "google_iam_policy" "admin" { + binding { + role = "roles/compute.imageUser" + + members = [ + "serviceAccount:jane@example.com", + ] + } + binding { + role = "roles/owner" + members = [ + "serviceAccount:john@example.com", + ] + } +} diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index 98858ac39b5..f429862f4fe 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -16,5 +16,11 @@ "severity": "MEDIUM", "line": 18, "fileName": "positive2.tf" + }, + { + "queryName": "Service Account with Improper Privileges", + "severity": "MEDIUM", + "line": 1, + "fileName": "positive3.tf" } ] From bcd4e15ac01fb5761ed20a5a8d690cc841c836ea Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Mon, 31 Jul 2023 20:08:11 +0300 Subject: [PATCH 2/3] Support GCP IAM policy members as lists --- .../gcp/service_account_with_improper_privileges/query.rego | 2 +- .../test/positive_expected_result.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego index a8949247051..df01758fa55 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/query.rego @@ -35,7 +35,7 @@ CxPolicy[result] { "issueType": "IncorrectValue", "keyExpectedValue": sprintf("google_iam_policy[%s].binding[%s].role should not have admin, editor, owner, or write privileges for service account member", [name, format_int(x, 10)]), "keyActualValue": sprintf("google_iam_policy[%s].binding[%s].role has admin, editor, owner, or write privilege for service account member", [name, format_int(x, 10)]), - "searchLine": common_lib.build_search_line(["resource", "google_iam_policy", name, "binding", x, "role"], []), + "searchLine": common_lib.build_search_line(["data", "google_iam_policy", name, "binding", x, "role"], []), } } diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index f429862f4fe..dba6ff0ebbf 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -20,7 +20,7 @@ { "queryName": "Service Account with Improper Privileges", "severity": "MEDIUM", - "line": 1, + "line": 10, "fileName": "positive3.tf" } ] From f5da4f7d3ea782640a9a1b92d2433bd903e28371 Mon Sep 17 00:00:00 2001 From: Tohar Braun Date: Tue, 29 Aug 2023 14:15:35 +0300 Subject: [PATCH 3/3] add test for multiple vulnerabilities --- .../test/positive4.tf | 14 ++++++++++++++ .../test/positive_expected_result.json | 12 ++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf new file mode 100644 index 00000000000..de1e2f5ee57 --- /dev/null +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive4.tf @@ -0,0 +1,14 @@ +data "google_iam_policy" "admin" { + binding { + role = "roles/admin" + members = [ + "serviceAccount:your-custom-sa@your-project.iam.gserviceaccount.com", + ] + } + binding { + role = "roles/editor" + members = [ + "serviceAccount:alice@gmail.com", + ] + } +} diff --git a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json index dba6ff0ebbf..e27bdc8039a 100644 --- a/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/service_account_with_improper_privileges/test/positive_expected_result.json @@ -22,5 +22,17 @@ "severity": "MEDIUM", "line": 10, "fileName": "positive3.tf" + }, + { + "queryName": "Service Account with Improper Privileges", + "severity": "MEDIUM", + "line": 3, + "fileName": "positive4.tf" + }, + { + "queryName": "Service Account with Improper Privileges", + "severity": "MEDIUM", + "line": 9, + "fileName": "positive4.tf" } ]