updating policies to detect cve-2021-25742 (#1071)

pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8S_0051.json

@@ -0,0 +1,17 @@
+{
+    "name": "allowedCustomSnippetAnnotations",
+    "file": "allowedCustomSnippetAnnotations.rego",
+    "policy_type": "k8s",
+    "resource_type": "kubernetes_deployment",
+    "template_args": {
+        "name": "allowedCustomSnippetAnnotations",
+        "prefix": "",
+        "suffix": ""
+    },
+    "severity": "HIGH",
+    "description": "CVE-2021-25742: Ingress-nginx with custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces.",
+    "category": "Configuration and Vulnerability Analysis",
+    "reference_id": "AC_K8S_0051",
+    "version": 1,
+    "id": "AC_K8S_0051"
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/AC_K8_0050.json

@@ -1,15 +1,15 @@
 {
-    "name": "allowedCustomSnippetAnnotations",
-    "file": "allowedCustomSnippetAnnotations.rego",
+    "name": "allowedCustomSnippetAnnotationsWithWrongVersion",
+    "file": "allowedCustomSnippetAnnotationsWithWrongVersion.rego",
     "policy_type": "k8s",
     "resource_type": "kubernetes_deployment",
     "template_args": {
-        "name": "allowedCustomSnippetAnnotations",
+        "name": "allowedCustomSnippetAnnotationsWithWrongVersion",
         "prefix": "",
         "suffix": ""
     },
     "severity": "HIGH",
-    "description": "CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces.",
+    "description": "CVE-2021-25742: Ingress-nginx with custom snippets with a version that does not support mitigation and allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces.",
     "category": "Configuration and Vulnerability Analysis",
     "reference_id": "AC_K8S_0050",
     "version": 1,

pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotations.rego

@@ -22,24 +22,57 @@ package accurics
     isAllowSnippetAnnotations(deployment.metadata.namespace)
 }
 
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    contains(image, "@sha")
+    version := split(split(image, ":v")[1], "@")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.config.metadata.namespace)
+
+    ingress := input.kubernetes_ingress[_].config
+    isIngressUsingSnippet(ingress)
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    not contains(image, "@sha")
+    version := split(image, ":v")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.metadata.namespace)
+
+    ingress := input.kubernetes_ingress[_].config
+    isIngressUsingSnippet(ingress)
+}
+
 isVulnerableVersion(ver) {
-    ver[minus(count(ver), 1)] <= "0.49"
+    ver[minus(count(ver), 1)] >= "0.49.1"
 }
 
 isVulnerableVersion(ver) {
-    ver[minus(count(ver), 1)] == "1.0.0"
+    ver[minus(count(ver), 1)] >= "1.0.1"
 }
 
 isVulnerableVersion(ver) {
-    ver[0] <= "0.49"
+    ver[0] >= "0.49.1"
 }
 
 isVulnerableVersion(ver) {
-    ver[0] == "1.0.0"
+    ver[0] >= "1.0.1"
 }
 
 isAllowSnippetAnnotations(namespace) {
     configmap := input.kubernetes_config_map[_]
     configmap.config.metadata.namespace == namespace
     configmap.config.data["allow-snippet-annotations"] == "true"
 }
+
+isIngressUsingSnippet(ingressConfig){
+    possibleAnnotations := ["nginx.ingress.kubernetes.io/server-snippets", "nginx.ingress.kubernetes.io/configuration-snippets", "nginx.org/configuration-snippets", "nginx.org/server-snippets"]
+    contains(ingressConfig.metadata.annotations[possibleAnnotations[_]], "kubernetes.io")
+}

pkg/policies/opa/rego/k8s/kubernetes_pod/allowedCustomSnippetAnnotationsWithWrongVersion.rego

@@ -0,0 +1,67 @@
+package accurics
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    contains(image, "@sha")
+    version := split(split(image, ":v")[1], "@")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.config.metadata.namespace)
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    not contains(image, "@sha")
+    version := split(image, ":v")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.metadata.namespace)
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    contains(image, "@sha")
+    version := split(split(image, ":v")[1], "@")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.config.metadata.namespace)
+}
+
+{{.prefix}}{{.name}}{{.suffix}}[deployment.id] {
+    deployment := input.kubernetes_deployment[_]
+    image := deployment.config.spec.template.spec.containers[_].image
+
+    contains(image, "ingress-nginx/controller")
+    not contains(image, "@sha")
+    version := split(image, ":v")
+    isVulnerableVersion(version)
+    isAllowSnippetAnnotations(deployment.metadata.namespace)
+}
+
+isVulnerableVersion(ver) {
+    ver[minus(count(ver), 1)] <= "0.49"
+}
+
+isVulnerableVersion(ver) {
+    ver[minus(count(ver), 1)] == "1.0.0"
+}
+
+isVulnerableVersion(ver) {
+    ver[0] <= "0.49"
+}
+
+isVulnerableVersion(ver) {
+    ver[0] == "1.0.0"
+}
+
+isAllowSnippetAnnotations(namespace) {
+    configmap := input.kubernetes_config_map[_]
+    configmap.config.metadata.namespace == namespace
+    configmap.config.data["allow-snippet-annotations"] == "true"
+}