fix(misconf): Escape template value correctly (aquasecurity#6292)

Signed-off-by: Simar <simar@linux.com>
DmitriyLewen · Apr 3, 2024 · 1c49a16 · 1c49a16
1 parent 8dd0fcd
commit 1c49a16
Show file tree

Hide file tree

Showing 4 changed files with 580 additions and 59 deletions.
diff --git a/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go b/pkg/iac/scanners/terraformplan/tfjson/scanner_test.go
@@ -13,11 +13,19 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func Test_OptionWithPolicyDirs_OldRegoMetadata(t *testing.T) {
-	b, _ := os.ReadFile("test/testdata/plan.json")
-	fs := testutil.CreateFS(t, map[string]string{
-		"/code/main.tfplan.json": string(b),
-		"/rules/test.rego": `
+func Test_TerraformScanner(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		name      string
+		inputFile string
+		inputRego string
+		options   []options.ScannerOption
+	}{
+		{
+			name:      "old rego metadata",
+			inputFile: "test/testdata/plan.json",
+			inputRego: `
 package defsec.abcdefg
 
 __rego_metadata__ := {
@@ -43,36 +51,46 @@ deny[cause] {
 	cause := bucket.name
 }
 `,
-	})
-
-	debugLog := bytes.NewBuffer([]byte{})
-	scanner := New(
-		options.ScannerWithDebug(debugLog),
-		options.ScannerWithPolicyFilesystem(fs),
-		options.ScannerWithPolicyDirs("rules"),
-		options.ScannerWithRegoOnly(true),
-		options.ScannerWithEmbeddedPolicies(false),
-	)
-
-	results, err := scanner.ScanFS(context.TODO(), fs, "code")
-	require.NoError(t, err)
-
-	require.Len(t, results.GetFailed(), 1)
-
-	failure := results.GetFailed()[0]
+			options: []options.ScannerOption{
+				options.ScannerWithPolicyDirs("rules"),
+				options.ScannerWithRegoOnly(true),
+				options.ScannerWithEmbeddedPolicies(false)},
+		},
+		{
+			name:      "with user namespace",
+			inputFile: "test/testdata/plan.json",
+			inputRego: ` 
+# METADATA
+# title: Bad buckets are bad
+# description: Bad buckets are bad because they are not good.
+# scope: package
+# schemas:
+#   - input: schema["input"]
+# custom:
+#   avd_id: AVD-TEST-0123
+#   severity: CRITICAL
+#   short_code: very-bad-misconfig
+#   recommended_action: "Fix the s3 bucket"
 
-	assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
-	if t.Failed() {
-		fmt.Printf("Debug logs:\n%s\n", debugLog.String())
-	}
+package user.foobar.ABC001
 
+deny[cause] {
+	bucket := input.aws.s3.buckets[_]
+	bucket.name.value == "tfsec-plan-testing"
+	cause := bucket.name
 }
-
-func Test_OptionWithPolicyDirs_WithUserNamespace(t *testing.T) {
-	b, _ := os.ReadFile("test/testdata/plan.json")
-	fs := testutil.CreateFS(t, map[string]string{
-		"/code/main.tfplan.json": string(b),
-		"/rules/test.rego": `
+`,
+			options: []options.ScannerOption{
+				options.ScannerWithPolicyDirs("rules"),
+				options.ScannerWithRegoOnly(true),
+				options.ScannerWithEmbeddedPolicies(false),
+				options.ScannerWithPolicyNamespaces("user"),
+			},
+		},
+		{
+			name:      "with templated plan json",
+			inputFile: "test/testdata/plan_with_template.json",
+			inputRego: `
 # METADATA
 # title: Bad buckets are bad
 # description: Bad buckets are bad because they are not good.
@@ -89,32 +107,43 @@ package user.foobar.ABC001
 
 deny[cause] {
 	bucket := input.aws.s3.buckets[_]
-	bucket.name.value == "tfsec-plan-testing"
+	bucket.name.value == "${template-name-is-$evil}"
 	cause := bucket.name
 }
 `,
-	})
+			options: []options.ScannerOption{
+				options.ScannerWithPolicyDirs("rules"),
+				options.ScannerWithRegoOnly(true),
+				options.ScannerWithEmbeddedPolicies(false),
+				options.ScannerWithPolicyNamespaces("user"),
+			},
+		},
+	}
 
-	debugLog := bytes.NewBuffer([]byte{})
-	scanner := New(
-		options.ScannerWithDebug(debugLog),
-		options.ScannerWithPolicyFilesystem(fs),
-		options.ScannerWithPolicyDirs("rules"),
-		options.ScannerWithRegoOnly(true),
-		options.ScannerWithPolicyNamespaces("user"),
-		options.ScannerWithEmbeddedPolicies(false),
-	)
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			b, _ := os.ReadFile(tc.inputFile)
+			fs := testutil.CreateFS(t, map[string]string{
+				"/code/main.tfplan.json": string(b),
+				"/rules/test.rego":       tc.inputRego,
+			})
 
-	results, err := scanner.ScanFS(context.TODO(), fs, "code")
-	require.NoError(t, err)
+			debugLog := bytes.NewBuffer([]byte{})
+			so := append(tc.options, options.ScannerWithDebug(debugLog), options.ScannerWithPolicyFilesystem(fs))
+			scanner := New(so...)
 
-	require.Len(t, results.GetFailed(), 1)
+			results, err := scanner.ScanFS(context.TODO(), fs, "code")
+			require.NoError(t, err)
 
-	failure := results.GetFailed()[0]
+			require.Len(t, results.GetFailed(), 1)
 
-	assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
-	if t.Failed() {
-		fmt.Printf("Debug logs:\n%s\n", debugLog.String())
-	}
+			failure := results.GetFailed()[0]
 
+			assert.Equal(t, "AVD-TEST-0123", failure.Rule().AVDID)
+			if t.Failed() {
+				fmt.Printf("Debug logs:\n%s\n", debugLog.String())
+			}
+		})
+	}
 }
diff --git a/pkg/iac/scanners/terraformplan/tfjson/test/parser_test.go b/pkg/iac/scanners/terraformplan/tfjson/test/parser_test.go
@@ -9,7 +9,6 @@ import (
 )
 
 func Test_Parse_Plan_File(t *testing.T) {
-
 	planFile, err := parser.New().ParseFile("testdata/plan.json")
 	require.NoError(t, err)