From 1fa6397e1e49852294c6cc10e5ad16e4ab7a7027 Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 21 Feb 2025 22:23:28 -0800 Subject: [PATCH 1/2] fix --- .../gcp/CloudArmorWAFACLCVE202144228.py | 28 +++++ .../main.tf | 114 ++++++++++++++++++ .../gcp/test_CloudArmorWAFACLCVE202144228.py | 5 +- 3 files changed, 146 insertions(+), 1 deletion(-) diff --git a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py index 0a1f0895545..f8c9b417baf 100644 --- a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py +++ b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py @@ -3,6 +3,7 @@ from checkov.common.models.enums import CheckResult, CheckCategories from checkov.common.util.type_forcers import force_list from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck +from checkov.common.graph.graph_builder import CustomAttributes class CloudArmorWAFACLCVE202144228(BaseResourceCheck): @@ -38,6 +39,33 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: if rule.get("preview") == [True]: return CheckResult.FAILED return CheckResult.PASSED + + resource_name = conf.get("name")[0] + connected_rules = [ + g1[1] for g1 in self.graph.nodes() + if g1[1].get(CustomAttributes.RESOURCE_TYPE) == "google_compute_security_policy_rule" and + g1[1].get("security_policy") == resource_name + ] + + for idx_rule, rule in enumerate(force_list(connected_rules)): + match = rule.get("match") + if match and isinstance(match, dict): + expr = match.get("expr") + if expr and isinstance(expr, dict): + if expr.get("expression") == "evaluatePreconfiguredExpr('cve-canary')": + if rule.get("action") == "allow": + return CheckResult.FAILED + if rule.get("preview"): + return CheckResult.FAILED + return CheckResult.PASSED + elif expr.get("expression") == "evaluatePreconfiguredWaf('cve-canary')": + if rule.get("action") == "allow": + return CheckResult.FAILED + if rule.get("preview"): + return CheckResult.FAILED + return CheckResult.PASSED + + return CheckResult.FAILED diff --git a/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf b/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf index 890108edf67..89148fb6eff 100644 --- a/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf +++ b/tests/terraform/checks/resource/gcp/example_CloudArmorWAFACLCVE202144228/main.tf @@ -43,6 +43,49 @@ resource "google_compute_security_policy" "pass_preconfigwaf" { } } +resource "google_compute_security_policy" "pass_separate_resource" { + name = "example_separate" + + rule { + description = "Foo" + priority = 1 + + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } + + action = "deny(404)" + } +} + +resource "google_compute_security_policy_rule" "cve_canary_waf" { + security_policy = google_compute_security_policy.pass_separate_resource.name + description = "cve-canary WAF rule" + priority = 1 + match { + expr { + expression = "evaluatePreconfiguredExpr('cve-canary')" + } + } + action = "deny(403)" +} + +resource "google_compute_security_policy_rule" "rule2" { + security_policy = google_compute_security_policy.pass_separate_resource.name + description = "rule2" + priority = 2 + match { + expr { + expression = "evaluatePreconfiguredWaf('xss-canary')" + } + } + action = "allow" +} + + # fail resource "google_compute_security_policy" "allow" { @@ -101,4 +144,75 @@ resource "google_compute_security_policy" "pass_preconfigwaf" { } } } +} + +resource "google_compute_security_policy" "fail" { + + name = "my-policy" + + rule { + action = "deny(403)" + priority = "1000" + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["9.9.9.0/24"] + } + } + description = "Deny access to IPs in 9.9.9.0/24" + } + + rule { + action = "allow" + priority = "2147483647" + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } + description = "default rule" + } +} + +resource "google_compute_security_policy" "fail_separate_resource" { + name = "example_separate_fail" + + rule { + description = "Foo" + priority = 1 + + match { + versioned_expr = "SRC_IPS_V1" + config { + src_ip_ranges = ["*"] + } + } + + action = "deny(404)" + } +} + +resource "google_compute_security_policy_rule" "cve_canary_waf" { + security_policy = google_compute_security_policy.fail_separate_resource.name + description = "cve-canary WAF rule" + priority = 1 + match { + expr { + expression = "evaluatePreconfiguredExpr('cve-canary')" + } + } + action = "allow" +} + +resource "google_compute_security_policy_rule" "rule2" { + security_policy = google_compute_security_policy.fail_separate_resource.name + description = "rule2" + priority = 2 + match { + expr { + expression = "evaluatePreconfiguredWaf('xss-canary')" + } + } + action = "allow" } \ No newline at end of file diff --git a/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py b/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py index ba0d7a22382..437718287d1 100644 --- a/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py +++ b/tests/terraform/checks/resource/gcp/test_CloudArmorWAFACLCVE202144228.py @@ -21,13 +21,16 @@ def test(self): "google_compute_security_policy.enabled_deny_403", "google_compute_security_policy.enabled_deny_404", "google_compute_security_policy.pass_preconfigwaf", + "google_compute_security_policy.pass_separate_resource", } failing_resources = { "google_compute_security_policy.allow", "google_compute_security_policy.preview", "google_compute_security_policy.different_expr", - "google_compute_security_policy.pass_preconfigwaf" + "google_compute_security_policy.pass_preconfigwaf", + "google_compute_security_policy.fail", + "google_compute_security_policy.fail_separate_resource", } passed_check_resources = {c.resource for c in report.passed_checks} From 40d9a359ef0125cd246679b7859158673e85c839 Mon Sep 17 00:00:00 2001 From: Taylor Date: Fri, 21 Feb 2025 22:29:27 -0800 Subject: [PATCH 2/2] Fix flake8 --- .../checks/resource/gcp/CloudArmorWAFACLCVE202144228.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py index f8c9b417baf..08199d5096f 100644 --- a/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py +++ b/checkov/terraform/checks/resource/gcp/CloudArmorWAFACLCVE202144228.py @@ -44,10 +44,10 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: connected_rules = [ g1[1] for g1 in self.graph.nodes() if g1[1].get(CustomAttributes.RESOURCE_TYPE) == "google_compute_security_policy_rule" and - g1[1].get("security_policy") == resource_name + g1[1].get("security_policy") == resource_name ] - for idx_rule, rule in enumerate(force_list(connected_rules)): + for rule in force_list(connected_rules): match = rule.get("match") if match and isinstance(match, dict): expr = match.get("expr") @@ -65,7 +65,6 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: return CheckResult.FAILED return CheckResult.PASSED - return CheckResult.FAILED