Merge pull request #6705 from Checkmarx/kics-1035-no-relative-paths

feat(query): ansible playbooks Insecure Relative Path Resolution

assets/queries/ansible/general/insecure_relative_path_resolution/metadata.json

@@ -0,0 +1,11 @@
+{
+	"id": "8d22ae91-6ac1-459f-95be-d37bd373f244",
+	"queryName": "Insecure Relative Path Resolution",
+	"severity": "LOW",
+	"category": "Best Practices",
+	"descriptionText": "Using relative paths can lead to unexpected behavior as the path is resolved relative to the current working directory, which can change.",
+	"descriptionUrl": "https://ansible.readthedocs.io/projects/lint/rules/no-relative-paths/",
+	"platform": "Ansible",
+	"descriptionID": "84ea91c8",
+	"cloudProvider": "common"
+}

assets/queries/ansible/general/insecure_relative_path_resolution/query.rego

@@ -0,0 +1,33 @@
+package Cx
+
+import data.generic.ansible as ansLib
+
+module_to_folder = {
+    "copy": "files",
+    "win_copy": "files",
+    "template": "templates",
+    "win_template": "win_templates",
+	"ansible.builtin.template": "templates",
+	"ansible.builtin.copy": "files",
+}
+
+CxPolicy[result] {
+	task := ansLib.tasks[id][t]
+	folder := module_to_folder[m]
+	copyOrTemplate := task[m]
+	ansLib.checkState(copyOrTemplate)
+
+	relative_path := sprintf("../%s", [folder])
+	contains(copyOrTemplate.src, relative_path)
+
+	result := {
+		"documentId": id,
+		"resourceType": m,
+		"resourceName": task.name,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.src", [task.name, m]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("%s.src should not be a relative path", [m]),
+		"keyActualValue": sprintf("%s.src is a relative path", [m]),
+	}
+}
+

assets/queries/ansible/general/insecure_relative_path_resolution/test/negative1.yaml

@@ -0,0 +1,34 @@
+---
+- name: Negative Example
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.copy:
+        content:
+        dest: /etc/mine.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: /home/example/files/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"
+
+---
+- name: Negative Example 2
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.template:
+        src: ../example/foo.j2
+        dest: /etc/file.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: ../example/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"
+    - name: Three
+      win_template:
+        src: ../example/foo2.j2
+        dest: /etc/file.conf
+        mode: "0644"

assets/queries/ansible/general/insecure_relative_path_resolution/test/positive1.yaml

@@ -0,0 +1,14 @@
+---
+- name: Positive Example
+  hosts: localhost
+  tasks:
+    - name: One
+      ansible.builtin.template:
+        src: ../templates/foo.j2
+        dest: /etc/file.conf
+        mode: "0644"
+    - name: Two
+      ansible.builtin.copy:
+        src: ../files/foo.conf
+        dest: /etc/foo.conf
+        mode: "0644"

assets/queries/ansible/general/insecure_relative_path_resolution/test/positive_expected_result.json

@@ -0,0 +1,14 @@
+[
+	{
+		"queryName": "Insecure Relative Path Resolution",
+		"severity": "LOW",
+		"line": 7,
+		"fileName": "positive1.yaml"
+	},
+	{
+		"queryName": "Insecure Relative Path Resolution",
+		"severity": "LOW",
+		"line": 12,
+		"fileName": "positive1.yaml"
+	}
+]