Skip to content

Commit

Permalink
fix(query): adjusted severity rating and added searchLine in rbac_wil…
Browse files Browse the repository at this point in the history
…dcard_in_rule k8s rule (Checkmarx#5264)

* fix(query): adjusted severity rating and added searchLine in rbac_wildcard_in_rule k8s rule

* updated severity to HIGH
  • Loading branch information
Churro authored May 9, 2022
1 parent 6f5c8c8 commit 5a85316
Show file tree
Hide file tree
Showing 3 changed files with 38 additions and 73 deletions.
4 changes: 2 additions & 2 deletions assets/queries/k8s/rbac_wildcard_in_rule/metadata.json
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
{
"id": "6b896afb-ca07-467a-b256-1a0077a1c08e",
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"severity": "HIGH",
"category": "Access Control",
"descriptionText": "Kubernetes Roles and ClusterRoles should not use wildcards in rules (objects or actions)",
"descriptionText": "Roles and ClusterRoles with wildcard RBAC permissions provide excessive rights to the Kubernetes API and should be avoided. The principle of least privilege recommends to specify only the set of needed objects and actions",
"descriptionUrl": "https://kubernetes.io/docs/reference/access-authn-authz/rbac/",
"platform": "Kubernetes",
"descriptionID": "ccf4e279"
Expand Down
55 changes: 10 additions & 45 deletions assets/queries/k8s/rbac_wildcard_in_rule/query.rego
Original file line number Diff line number Diff line change
@@ -1,60 +1,25 @@
package Cx

import data.generic.k8s as k8s
import data.generic.common as common_lib

CxPolicy[result] {
document := input.document[i]
metadata := document.metadata
kind := document.kind
listKinds := ["Role", "ClusterRole"]
k8s.checkKind(kind, listKinds)
metadata.name
notExpectedKey := "*"
document.rules[r].apiGroups[j] == notExpectedKey

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].apiGroups shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]),
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].apiGroups contains value: '%s'", [metadata.name, r, notExpectedKey]),
}
}
kinds := {"Role", "ClusterRole"}
document.kind == kinds[_]

CxPolicy[result] {
document := input.document[i]
metadata := document.metadata
kind := document.kind
listKinds := ["Role", "ClusterRole"]
k8s.checkKind(kind, listKinds)
metadata.name
notExpectedKey := "*"
document.rules[r].resources[j] == notExpectedKey
attr := {"apiGroups", "resources", "verbs"}
common_lib.valid_key(document.rules[j], attr[k])

result := {
"documentId": input.document[i].id,
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].resources shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]),
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].resources contains value: '%s'", [metadata.name, r, notExpectedKey]),
}
}

CxPolicy[result] {
document := input.document[i]
metadata := document.metadata
kind := document.kind
listKinds := ["Role", "ClusterRole"]
k8s.checkKind(kind, listKinds)
metadata.name
notExpectedKey := "*"
document.rules[r].verbs[j] == notExpectedKey
document.rules[j][k][_] == "*"

result := {
"documentId": input.document[i].id,
"documentId": document.id,
"searchKey": sprintf("metadata.name={{%s}}.rules", [metadata.name]),
"issueType": "IncorrectValue",
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].verbs shouldn't contain value: '%s'", [metadata.name, r, notExpectedKey]),
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].verbs contains value: '%s'", [metadata.name, r, notExpectedKey]),
"keyExpectedValue": sprintf("metadata.name={{%s}}.rules[%d].%s should list the minimal set of needed objects or actions", [metadata.name, j, k]),
"keyActualValue": sprintf("metadata.name={{%s}}.rules[%d].%s uses wildcards to specify objects or actions", [metadata.name, j, k]),
"searchLine": common_lib.build_search_line(["rules", j], [k])
}
}
Original file line number Diff line number Diff line change
@@ -1,37 +1,37 @@
[
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 6
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 6
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 17
"severity": "HIGH",
"line": 7
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 17
"severity": "HIGH",
"line": 9
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 17
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 27
"severity": "HIGH",
"line": 18
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "LOW",
"line": 27
}
{
"queryName": "RBAC Wildcard In Rule",
"severity": "HIGH",
"line": 19
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "HIGH",
"line": 20
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "HIGH",
"line": 29
},
{
"queryName": "RBAC Wildcard In Rule",
"severity": "HIGH",
"line": 31
}
]

0 comments on commit 5a85316

Please sign in to comment.