diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json new file mode 100644 index 00000000000..c3fc4d243dd --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/metadata.json @@ -0,0 +1,12 @@ +{ + "id": "86b97bb4-85c9-462d-8635-cbc057c5c8c5", + "queryName": "Allow Unsafe Lookups Enabled", + "severity": "HIGH", + "category": "Insecure Configurations", + "descriptionText": "When enabled, this option allows lookup plugins to return data that is not marked 'unsafe'.", + "descriptionUrl": "https://docs.ansible.com/ansible/latest/reference_appendices/config.html#default-allow-unsafe-lookups", + "platform": "Ansible", + "descriptionID": "0d491461", + "cloudProvider": "common" + } + \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/query.rego b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/query.rego new file mode 100644 index 00000000000..2f866d6c8eb --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/query.rego @@ -0,0 +1,19 @@ +package Cx + +import data.generic.ansible as ansLib + +CxPolicy[result] { + defaultsGroup := input.document[i].groups.defaults + + defaultsGroup.allow_unsafe_lookups == true + + result := { + "documentId": input.document[i].id, + "resourceName": "defaults", + "resourceType": "n/a", + "searchKey": "defaults.allow_unsafe_lookups", + "issueType": "IncorrectValue", + "keyExpectedValue": "allow_unsafe_lookups should be set to 'False'", + "keyActualValue": "allow_unsafe_lookups is set to 'True'", + } +} diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative1.cfg b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative1.cfg new file mode 100644 index 00000000000..b68963cc8a9 --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative1.cfg @@ -0,0 +1,19 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action + +allow_unsafe_lookups=False \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative2.cfg b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative2.cfg new file mode 100644 index 00000000000..d11989f9529 --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/negative2.cfg @@ -0,0 +1,17 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive1.cfg b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive1.cfg new file mode 100644 index 00000000000..c7fa67dc142 --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive1.cfg @@ -0,0 +1,19 @@ +[defaults] +action_warnings=True +cowsay_enabled_stencils=bud-frogs, bunny, cheese, daemon, default, dragon, elephant-in-snake, elephant, eyes, hellokitty, kitty, luke-koala, meow, milk, moofasa, moose, ren, sheep, small, stegosaurus, stimpy, supermilker, three-eyes, turkey, turtle, tux, udder, vader-koala, vader, www +cow_selection=default +force_color=False +nocolor=False +nocows=False +any_errors_fatal=False +become_plugins=~/.ansible/plugins/become:/usr/share/ansible/plugins/become +fact_caching=memory +fact_caching_prefix=ansible_facts +fact_caching_timeout=86400 +collections_on_ansible_version_mismatch=warning +collections_path=~/.ansible/collections:/usr/share/ansible/collections +collections_scan_sys_path=True +command_warnings=False +action_plugins=~/.ansible/plugins/action:/usr/share/ansible/plugins/action + +allow_unsafe_lookups=True \ No newline at end of file diff --git a/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive_expected_result.json b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive_expected_result.json new file mode 100644 index 00000000000..8d8cde32c89 --- /dev/null +++ b/assets/queries/ansible/config/allow_unsafe_lookups_enabled/test/positive_expected_result.json @@ -0,0 +1,7 @@ +[ + { + "queryName": "Allow Unsafe Lookups Enabled", + "severity": "HIGH", + "line": 19 + } +] diff --git a/docs/creating-queries.md b/docs/creating-queries.md index b990b7d60b7..3d33a383848 100644 --- a/docs/creating-queries.md +++ b/docs/creating-queries.md @@ -382,6 +382,8 @@ To improve the KICS line detection mechanism, `searchLine` was introduced. SearchLine uses json path to get the correct line information from the payload (which can be seen with the flag `payload-lines`). +For Ansible Hosts and Config files, there is no need to fill this parameter since the attributes can vary in different files. If you still want to use you will expect an inconsistent behaviour. + Original Content: ``` father: diff --git a/test/main_test.go b/test/main_test.go index 63e04a1b8a3..1b2726eb9e2 100644 --- a/test/main_test.go +++ b/test/main_test.go @@ -14,6 +14,7 @@ import ( "github.com/Checkmarx/kics/pkg/kics" "github.com/Checkmarx/kics/pkg/model" "github.com/Checkmarx/kics/pkg/parser" + ansibleConfigParser "github.com/Checkmarx/kics/pkg/parser/ansible/ini/config" ansibleHostsParser "github.com/Checkmarx/kics/pkg/parser/ansible/ini/hosts" buildahParser "github.com/Checkmarx/kics/pkg/parser/buildah" dockerParser "github.com/Checkmarx/kics/pkg/parser/docker" @@ -52,6 +53,7 @@ var ( "../assets/queries/ansible/aws": {FileKind: []model.FileKind{model.KindYAML}, Platform: "ansible"}, "../assets/queries/ansible/gcp": {FileKind: []model.FileKind{model.KindYAML}, Platform: "ansible"}, "../assets/queries/ansible/azure": {FileKind: []model.FileKind{model.KindYAML}, Platform: "ansible"}, + "../assets/queries/ansible/config": {FileKind: []model.FileKind{model.KindCFG}, Platform: "ansible"}, "../assets/queries/ansible/hosts": {FileKind: []model.FileKind{model.KindINI, model.KindYAML}, Platform: "ansible"}, "../assets/queries/dockerfile": {FileKind: []model.FileKind{model.KindDOCKER}, Platform: "dockerfile"}, "../assets/queries/dockerCompose": {FileKind: []model.FileKind{model.KindYAML}, Platform: "dockerCompose"}, @@ -192,6 +194,7 @@ func getCombinedParser() []*parser.Parser { Add(&dockerParser.Parser{}). Add(&protoParser.Parser{}). Add(&buildahParser.Parser{}). + Add(&ansibleConfigParser.Parser{}). Add(&ansibleHostsParser.Parser{}). Build([]string{""}, []string{""}) return bd