Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(query): lambda_iam_invokefunction_misconfigured #6822

Merged
merged 17 commits into from
Feb 27, 2024
Merged

fix(query): lambda_iam_invokefunction_misconfigured #6822

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
6ffa739
Lambda IAM InvokeFunction Misconfigured FP
Tohar-orca Dec 5, 2023
a156d16
Lambda IAM InvokeFunction Misconfigured FP
Tohar-orca Dec 5, 2023
481957a
Merge remote-tracking branch 'origin/master' into lambda-invokefuncti…
Tohar-orca Dec 13, 2023
722cb12
Fix false positive detections in "api_key_exposed" function
Tohar-orca Dec 13, 2023
b2d8c63
Fix false positive detections in "api_key_exposed" function
Tohar-orca Dec 13, 2023
a32eae3
Merge branch 'Checkmarx:master' into lambda-invokefunction-fp
Tohar-orca Dec 18, 2023
81b273d
Fix false positive detections in "api_gateway_with_cloudwatch_logging…
Tohar-orca Dec 18, 2023
e13e498
Merge branch 'master' into lambda-invokefunction-fp
Tohar-orca Jan 8, 2024
7b7500b
Merge branch 'master' into lambda-invokefunction-fp
Tohar-orca Jan 15, 2024
5befff7
Merge branch 'master' into lambda-invokefunction-fp
Tohar-orca Jan 24, 2024
1a1570b
Merge branch 'master' into lambda-invokefunction-fp
gabriel-cx Feb 5, 2024
8447835
Merge branch 'master' into lambda-invokefunction-fp
gabriel-cx Feb 12, 2024
d15b86c
Merge branch 'master' into lambda-invokefunction-fp
Tohar-orca Feb 18, 2024
3c30e27
Merge branch 'master' into lambda-invokefunction-fp
gabriel-cx Feb 21, 2024
9b816e9
Merge branch 'master' into lambda-invokefunction-fp
gabriel-cx Feb 21, 2024
b192fb5
Merge branch 'master' into lambda-invokefunction-fp
Tohar-orca Feb 26, 2024
dbebca7
Merge branch 'master' into lambda-invokefunction-fp
gabriel-cx Feb 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"queryName": "S3 Bucket SSE Disabled",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
"descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
"descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id",
"platform": "Ansible",
"descriptionID": "4008dca4",
Expand Down
2 changes: 1 addition & 1 deletion assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"queryName": "S3 Bucket SSE Disabled",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
"descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
"descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html",
"platform": "CloudFormation",
"descriptionID": "42fd2930",
Expand Down
3 changes: 2 additions & 1 deletion assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ CxPolicy[result] {

haveLogs(stageName) {
log := input.document[i].resource.aws_cloudwatch_log_group[_]
regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName])
stageName_escaped := replace(replace(stageName, "$", "\\$"), ".", "\\.")
regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName_escaped])
regex.match(regexPattern, log.name)
}
20 changes: 20 additions & 0 deletions assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/negative2.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
module "env" {
source = "./env"
}

resource "aws_api_gateway_rest_api" "example" {
# ... other configuration ...
}

resource "aws_api_gateway_stage" "example" {
depends_on = [aws_cloudwatch_log_group.example]

stage_name = module.env.vars.stage_name
# ... other configuration ...
}

resource "aws_cloudwatch_log_group" "example" {
name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${module.env.vars.stage_name}"
retention_in_days = 7
# ... potentially other configuration ...
}
4 changes: 4 additions & 0 deletions assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ check_iam_ressource(statement) {
is_array(statement.Resource)
regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource[_])
regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource[_])
} else {
is_array(statement.resources)
regex.match("(^aws_lambda_function\\.[^.]\\.arn:[*]$)", statement.resources[_])
regex.match("(^aws_lambda_function\\.[^.]\\.arn$)", statement.resources[_])
}

check_iam_action(statement) {
Expand Down
28 changes: 28 additions & 0 deletions assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/negative3.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
resource "aws_lambda_function" "negative3" {
function_name = "negative3"
role = "negative3_role"
}

resource "aws_iam_policy" "negative3policy" {
name = "negative3policy"
path = "/"
description = "negative3 Policy"

# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"s3:*",
]
Effect = "Allow"
Resource = [
aws_lambda_function.negative3.arn,
"${aws_lambda_function.negative3.arn}:*"
]
},
]
})
}
2 changes: 1 addition & 1 deletion assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"queryName": "S3 Bucket SSE Disabled",
"severity": "HIGH",
"category": "Encryption",
"descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
"descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
"descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration",
"platform": "Terraform",
"descriptionID": "b386c506",
Expand Down
Loading