feat(query): support of Terraform modules for "S3 Bucket Allows Put …

…Action From All Principals" Checkmarx#4274
noamd-legit · Sep 27, 2021 · e9772dc · e9772dc
1 parent 8e45487
commit e9772dc
Show file tree

Hide file tree

Showing 8 changed files with 153 additions and 71 deletions.
diff --git a/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego b/assets/queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/query.rego
@@ -1,24 +1,48 @@
 package Cx
 
-import data.generic.common as commonLib
-import data.generic.terraform as terraLib
+import data.generic.common as common_lib
+import data.generic.terraform as terra_lib
+
+pl := {"aws_s3_bucket_policy", "aws_s3_bucket"}
 
 CxPolicy[result] {
-	pl := {"aws_s3_bucket_policy", "aws_s3_bucket"}
-	resource := input.document[i].resource[pl[r]][name]
+	resourceType := pl[r]
+	resource := input.document[i].resource[resourceType][name]
 
-	policy := commonLib.json_unmarshal(resource.policy)
-	statement := policy.Statement[_]
+	delete_action_from_all_principals(resource.policy)
 
-	statement.Effect == "Allow"
-	terraLib.anyPrincipal(statement)
-	commonLib.containsOrInArrayContains(statement.Action, "delete")
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("%s[%s].policy", [resourceType, name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s[%s].policy.Action is not a 'Delete' action", [resourceType, name]),
+		"keyActualValue": sprintf("%s[%s].policy.Action is a 'Delete' action", [resourceType, name]),
+		"searchLine": common_lib.build_search_line(["resource", resourceType, name, "policy"], []),
+	}
+}
+
+CxPolicy[result] {
+	module := input.document[i].module[name]
+	resourceType := pl[r]
+	keyToCheck := common_lib.get_module_equivalent_key("aws", module.source, resourceType, "policy")
+
+	delete_action_from_all_principals(module[keyToCheck])
 
 	result := {
 		"documentId": input.document[i].id,
-		"searchKey": sprintf("%s[%s].policy.Action", [pl[r], name]),
+		"searchKey": sprintf("module[%s].policy", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("%s[%s].policy.Action is not a 'Delete' action", [pl[r], name]),
-		"keyActualValue": sprintf("%s[%s].policy.Action is a 'Delete' action", [pl[r], name]),
+		"keyExpectedValue": "'policy.Statement.Action' is not a 'Delete' action",
+		"keyActualValue": "'policy.Statement.Action' is a 'Delete' action",
+		"searchLine": common_lib.build_search_line(["module", name, "policy"], []),
 	}
 }
+
+delete_action_from_all_principals(policyValue){
+	policy := common_lib.json_unmarshal(policyValue)
+	statement := policy.Statement[_]
+
+	statement.Effect == "Allow"
+	terra_lib.anyPrincipal(statement)
+	common_lib.containsOrInArrayContains(statement.Action, "delete")
+}
diff --git a/...tion_from_all_principals/test/negative.tf → ...ion_from_all_principals/test/negative1.tf b/...tion_from_all_principals/test/negative.tf → ...ion_from_all_principals/test/negative1.tf
@@ -1,8 +1,4 @@
-resource "aws_s3_bucket" "negative1" {
-  bucket = "my_tf_test_bucket"
-}
-
-resource "aws_s3_bucket_policy" "negative2" {
+resource "aws_s3_bucket_policy" "negative1" {
   bucket = aws_s3_bucket.b.id
 
   policy = <<POLICY
@@ -22,4 +18,4 @@ resource "aws_s3_bucket_policy" "negative2" {
   ]
 }
 POLICY
-}
+}
diff --git a/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/negative2.tf b/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/negative2.tf
@@ -0,0 +1,29 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+
+  versioning = {
+    enabled = true
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Deny",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/...queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive.tf b/...queries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive.tf
diff --git a/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive1.tf b/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive1.tf
@@ -0,0 +1,22 @@
+resource "aws_s3_bucket_policy" "positive1" {
+  bucket = aws_s3_bucket.b.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:DeleteObject",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive2.tf b/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive2.tf
@@ -0,0 +1,24 @@
+resource "aws_s3_bucket_policy" "positive2" {
+  bucket = aws_s3_bucket.b.id
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "*"
+      },
+      "Action": "s3:DeleteObject",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive3.tf b/...ueries/terraform/aws/s3_bucket_allows_delete_action_from_all_principals/test/positive3.tf
@@ -0,0 +1,30 @@
+module "s3_bucket" {
+  source = "terraform-aws-modules/s3-bucket/aws"
+  version = "3.7.0"
+
+  bucket = "my-s3-bucket"
+  acl    = "private"
+
+  versioning = {
+    enabled = true
+  }
+
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Id": "MYBUCKETPOLICY",
+  "Statement": [
+    {
+      "Sid": "IPAllow",
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "s3:DeleteObject",
+      "Resource": "arn:aws:s3:::my_tf_test_bucket/*",
+      "Condition": {
+         "IpAddress": {"aws:SourceIp": "8.8.8.8/32"}
+      }
+    }
+  ]
+}
+POLICY
+}
diff --git a/...aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json b/...aws/s3_bucket_allows_delete_action_from_all_principals/test/positive_expected_result.json
@@ -2,11 +2,19 @@
   {
     "queryName": "S3 Bucket Allows Delete Action From All Principals",
     "severity": "HIGH",
-    "line": 17
+    "line": 4,
+    "fileName": "positive1.tf"
   },
   {
     "queryName": "S3 Bucket Allows Delete Action From All Principals",
     "severity": "HIGH",
-    "line": 42
+    "line": 4,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "S3 Bucket Allows Delete Action From All Principals",
+    "severity": "HIGH",
+    "line": 12,
+    "fileName": "positive3.tf"
   }
 ]