Merge branch 'master' into kics-1033

assets/queries/ansible/config/communication_over_http/metadata.json

@@ -0,0 +1,11 @@
+{
+    "id": "d7dc9350-74bc-485b-8c85-fed22d276c43",
+    "queryName": "Communication over HTTP",
+    "severity": "MEDIUM",
+    "category": "Insecure Configurations",
+    "descriptionText": "Using HTTP URLs (without encryption) could lead to security vulnerabilities and risks",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/httpapi.html",
+    "platform": "Ansible",
+    "descriptionID": "8c03b0c0",
+    "cloudProvider": "common"
+}

assets/queries/ansible/config/communication_over_http/query.rego

@@ -0,0 +1,21 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	galaxyGroup := input.document[i].groups.galaxy
+
+	url := galaxyGroup.server
+	startswith(url, "http://")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "[galaxy].server",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'server' from galaxy group should be accessed via the HTTPS protocol",
+		"keyActualValue": "'server' from galaxy group is accessed via the HTTP protocol'",
+	}
+}

assets/queries/ansible/config/communication_over_http/test/negative1.cfg

@@ -0,0 +1,5 @@
+[galaxy]
+cache_dir=~/.ansible/galaxy_cache
+ignore_certs=False
+role_skeleton_ignore=^.git$, ^.*/.git_keep$
+server=https://galaxy.ansible.com

assets/queries/ansible/config/communication_over_http/test/positive1.cfg

@@ -0,0 +1,5 @@
+[galaxy]
+cache_dir=~/.ansible/galaxy_cache
+ignore_certs=False
+role_skeleton_ignore=^.git$, ^.*/.git_keep$
+server=http://galaxy.ansible.com

assets/queries/ansible/config/communication_over_http/test/positive_expected_result.json

@@ -0,0 +1,7 @@
+[
+	{
+		"queryName": "Communication over HTTP",
+		"severity": "MEDIUM",
+		"line": 5
+	}
+]

assets/queries/ansible/config/privilege_escalation_using_become_plugin/metadata.json

@@ -0,0 +1,12 @@
+{
+    "id": "404908b6-4954-4611-98f0-e8ceacdabcb1",
+    "queryName": "Privilege Escalation Using Become Plugin",
+    "severity": "MEDIUM",
+    "category": "Access Control",
+    "descriptionText": "In order to perform an action as a different user with the become_user, 'become' must be defined and set to 'true'",
+    "descriptionUrl": "https://docs.ansible.com/ansible/latest/plugins/become.html",
+    "platform": "Ansible",
+    "descriptionID": "00396668",
+    "cloudProvider": "common"
+  }
+

assets/queries/ansible/config/privilege_escalation_using_become_plugin/query.rego

@@ -0,0 +1,38 @@
+package Cx
+
+import data.generic.ansible as ansLib
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    not common_lib.valid_key(defaultsGroup, "become")
+	common_lib.valid_key(defaultsGroup, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "defaults.become_user",
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'become' should be defined and set to 'true'",
+		"keyActualValue": "'become' is not defined",
+	}
+}
+
+CxPolicy[result] {
+	defaultsGroup := input.document[i].groups.defaults
+
+    defaultsGroup.become == false
+	common_lib.valid_key(defaultsGroup, "become_user")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "n/a",
+		"resourceName": "n/a",
+		"searchKey": "defaults.become",
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'become' should be set to 'true'",
+		"keyActualValue": "'become' is set to 'false'",
+	}
+}

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/negative1.cfg

@@ -0,0 +1,10 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become
+fact_caching=memory

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/negative2.cfg

@@ -0,0 +1,13 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become_ask_pass=False
+become_method=sudo
+become=True
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive1.cfg

@@ -0,0 +1,13 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become=False
+become_ask_pass=False
+become_method=sudo
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive2.cfg

@@ -0,0 +1,12 @@
+[defaults]
+action_warnings=True
+cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www
+cow_selection=default
+force_color=False
+nocolor=False
+nocows=False
+any_errors_fatal=False
+fact_caching=memory
+become_ask_pass=False
+become_method=sudo
+become_user=root

assets/queries/ansible/config/privilege_escalation_using_become_plugin/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"filename": "positive1.cfg",
+		"line": 10
+	},
+	{
+		"queryName": "Privilege Escalation Using Become Plugin",
+		"severity": "MEDIUM",
+		"filename": "positive2.cfg",
+		"line": 12
+	}
+]

pkg/parser/ansible/ini/config/parser.go

@@ -1,7 +1,6 @@
 package ansibleconfig
 
 import (
-	"regexp"
 	"strconv"
 	"strings"
 
@@ -54,21 +53,13 @@ func refactorConfig(config *configparser.ConfigParser) (doc *model.Document) {
 			} else if floatValue, err := strconv.ParseFloat(value, 64); err == nil {
 				dictRefact[key] = floatValue
 			} else if strings.Contains(value, ",") {
-				re := regexp.MustCompile(`\w+`)
-				matches := re.FindAllString(value, -1)
-				if len(matches) > 0 {
-					dictRefact[key] = matches
-				} else {
-					dictRefact[key] = []string{}
-				}
-			} else if strings.Contains(value, ":") {
-				re := regexp.MustCompile(`\w+`)
-				matches := re.FindAllString(value, -1)
-				if len(matches) > 0 {
-					dictRefact[key] = matches
-				} else {
-					dictRefact[key] = []string{}
+				elements := strings.Split(value, ",")
+
+				for i := 0; i < len(elements); i++ {
+					elements[i] = strings.TrimSpace(elements[i])
 				}
+
+				dictRefact[key] = elements
 			} else if value == "[]" {
 				dictRefact[key] = []string{}
 			} else {