Merge pull request #6822 from Tohar-orca/lambda-invokefunction-fp

fix(query): lambda_iam_invokefunction_misconfigured
Checkmarx · Feb 27, 2024 · 6b9fa67 · 6b9fa67
2 parents 350ed87 + dbebca7
commit 6b9fa67
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 4 deletions.
diff --git a/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/ansible/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/amazon/aws/s3_bucket_module.html#parameter-encryption_key_id",
   "platform": "Ansible",
   "descriptionID": "4008dca4",

diff --git a/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/cloudFormation/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-serversideencryptionbydefault.html",
   "platform": "CloudFormation",
   "descriptionID": "42fd2930",

diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/query.rego
@@ -19,6 +19,7 @@ CxPolicy[result] {
 
 haveLogs(stageName) {
 	log := input.document[i].resource.aws_cloudwatch_log_group[_]
-	regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName])	
+	stageName_escaped := replace(replace(stageName, "$", "\\$"), ".", "\\.")
+	regexPattern := sprintf("API-Gateway-Execution-Logs_\\${aws_api_gateway_rest_api\\.\\w+\\.id}/%s$", [stageName_escaped])
 	regex.match(regexPattern, log.name)
 }
diff --git a/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/negative2.tf b/assets/queries/terraform/aws/api_gateway_with_cloudwatch_logging_disabled/test/negative2.tf
@@ -0,0 +1,20 @@
+module "env" {
+  source = "./env"
+}
+
+resource "aws_api_gateway_rest_api" "example" {
+  # ... other configuration ...
+}
+
+resource "aws_api_gateway_stage" "example" {
+  depends_on = [aws_cloudwatch_log_group.example]
+
+  stage_name = module.env.vars.stage_name
+  # ... other configuration ...
+}
+
+resource "aws_cloudwatch_log_group" "example" {
+  name              = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.example.id}/${module.env.vars.stage_name}"
+  retention_in_days = 7
+  # ... potentially other configuration ...
+}
diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/query.rego
@@ -34,6 +34,10 @@ check_iam_ressource(statement) {
 	is_array(statement.Resource)
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+:[*]$)", statement.Resource[_])
 	regex.match("(^arn:aws:lambda:.*:.*:function:[a-zA-Z0-9_-]+$)", statement.Resource[_])
+} else {
+    is_array(statement.resources)
+    regex.match("(^aws_lambda_function\\.[^.]\\.arn:[*]$)", statement.resources[_])
+    regex.match("(^aws_lambda_function\\.[^.]\\.arn$)", statement.resources[_])
 }
 
 check_iam_action(statement) {

diff --git a/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/negative3.tf b/assets/queries/terraform/aws/lambda_iam_invokefunction_misconfigured/test/negative3.tf
@@ -0,0 +1,28 @@
+resource "aws_lambda_function" "negative3" {
+  function_name = "negative3"
+  role          = "negative3_role"
+}
+
+resource "aws_iam_policy" "negative3policy" {
+  name        = "negative3policy"
+  path        = "/"
+  description = "negative3 Policy"
+
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "s3:*",
+        ]
+        Effect   = "Allow"
+        Resource = [
+            aws_lambda_function.negative3.arn,
+            "${aws_lambda_function.negative3.arn}:*"
+        ]
+      },
+    ]
+  })
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json b/assets/queries/terraform/aws/s3_bucket_sse_disabled/metadata.json
@@ -3,7 +3,7 @@
   "queryName": "S3 Bucket SSE Disabled",
   "severity": "HIGH",
   "category": "Encryption",
-  "descriptionText": "If algorithm is AES256 then the master key is null, empty or undefined, otherwise the master key is required",
+  "descriptionText": "If master key is null, empty of undefined, then SSE algorithm should be AES25. Conversely, if SSE algorithm is AES256, then master key should be null, empty or undefined.",
   "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration",
   "platform": "Terraform",
   "descriptionID": "b386c506",