Skip to content

Commit 1f9fc13

Browse files
nikpivkinnikpivkin
authored
perf(misconf): use port ranges instead of enumeration (#7549)
Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
1 parent 5dd94eb commit 1f9fc13

File tree

5 files changed

+84
-24
lines changed

5 files changed

+84
-24
lines changed

pkg/iac/adapters/terraform/google/compute/adapt_test.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -184,8 +184,8 @@ func TestLines(t *testing.T) {
184184
assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetStartLine())
185185
assert.Equal(t, 59, network.Firewall.IngressRules[0].Protocol.GetMetadata().Range().GetEndLine())
186186

187-
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetStartLine())
188-
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].GetMetadata().Range().GetEndLine())
187+
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetStartLine())
188+
assert.Equal(t, 60, network.Firewall.IngressRules[0].Ports[0].Metadata.Range().GetEndLine())
189189

190190
assert.Equal(t, 64, network.Subnetworks[0].Metadata.Range().GetStartLine())
191191
assert.Equal(t, 72, network.Subnetworks[0].Metadata.Range().GetEndLine())

pkg/iac/adapters/terraform/google/compute/networks.go

+23-16
Original file line numberDiff line numberDiff line change
@@ -105,44 +105,51 @@ func adaptNetworks(modules terraform.Modules) (networks []compute.Network) {
105105
return networks
106106
}
107107

108-
func expandRange(ports string, attr *terraform.Attribute) []iacTypes.IntValue {
108+
func expandRange(ports string, meta iacTypes.Metadata) (compute.PortRange, bool) {
109109
ports = strings.ReplaceAll(ports, " ", "")
110110
if !strings.Contains(ports, "-") {
111111
i, err := strconv.Atoi(ports)
112112
if err != nil {
113-
return nil
114-
}
115-
return []iacTypes.IntValue{
116-
iacTypes.Int(i, attr.GetMetadata()),
113+
return compute.PortRange{}, false
117114
}
115+
return compute.PortRange{
116+
Metadata: meta,
117+
Start: iacTypes.Int(i, meta),
118+
End: iacTypes.Int(i, meta),
119+
}, true
118120
}
119121
parts := strings.Split(ports, "-")
120122
if len(parts) != 2 {
121-
return nil
123+
return compute.PortRange{}, false
122124
}
123125
start, err := strconv.Atoi(parts[0])
124126
if err != nil {
125-
return nil
127+
return compute.PortRange{}, false
126128
}
127129
end, err := strconv.Atoi(parts[1])
128130
if err != nil {
129-
return nil
130-
}
131-
var output []iacTypes.IntValue
132-
for i := start; i <= end; i++ {
133-
output = append(output, iacTypes.Int(i, attr.GetMetadata()))
131+
return compute.PortRange{}, false
134132
}
135-
return output
133+
134+
return compute.PortRange{
135+
Metadata: meta,
136+
Start: iacTypes.Int(start, meta),
137+
End: iacTypes.Int(end, meta),
138+
}, true
136139
}
137140

138141
func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *terraform.Block, allow bool) {
139142
protocolAttr := ruleBlock.GetAttribute("protocol")
140143
portsAttr := ruleBlock.GetAttribute("ports")
141144

142-
var ports []iacTypes.IntValue
145+
var rngs []compute.PortRange
143146
rawPorts := portsAttr.AsStringValues()
144147
for _, portStr := range rawPorts {
145-
ports = append(ports, expandRange(portStr.Value(), portsAttr)...)
148+
rng, ok := expandRange(portStr.Value(), portsAttr.GetMetadata())
149+
if !ok {
150+
continue
151+
}
152+
rngs = append(rngs, rng)
146153
}
147154

148155
// ingress by default
@@ -153,7 +160,7 @@ func adaptFirewallRule(firewall *compute.Firewall, firewallBlock, ruleBlock *ter
153160
Enforced: iacTypes.BoolDefault(true, firewallBlock.GetMetadata()),
154161
IsAllow: iacTypes.Bool(allow, ruleBlock.GetMetadata()),
155162
Protocol: protocolAttr.AsStringValueOrDefault("tcp", ruleBlock),
156-
Ports: ports,
163+
Ports: rngs,
157164
}
158165

159166
disabledAttr := firewallBlock.GetAttribute("disabled")

pkg/iac/adapters/terraform/google/compute/networks_test.go

+14-4
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ func Test_adaptNetworks(t *testing.T) {
3939
source_ranges = ["1.2.3.4/32"]
4040
allow {
4141
protocol = "icmp"
42-
ports = ["80", "8080"]
42+
ports = ["80", "8080", "9090-9095"]
4343
}
4444
}
4545
`,
@@ -57,9 +57,19 @@ func Test_adaptNetworks(t *testing.T) {
5757
IsAllow: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
5858
Protocol: iacTypes.String("icmp", iacTypes.NewTestMetadata()),
5959
Enforced: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
60-
Ports: []iacTypes.IntValue{
61-
iacTypes.Int(80, iacTypes.NewTestMetadata()),
62-
iacTypes.Int(8080, iacTypes.NewTestMetadata()),
60+
Ports: []compute.PortRange{
61+
{
62+
Start: iacTypes.IntTest(80),
63+
End: iacTypes.IntTest(80),
64+
},
65+
{
66+
Start: iacTypes.IntTest(8080),
67+
End: iacTypes.IntTest(8080),
68+
},
69+
{
70+
Start: iacTypes.IntTest(9090),
71+
End: iacTypes.IntTest(9095),
72+
},
6373
},
6474
},
6575
SourceRanges: []iacTypes.StringValue{

pkg/iac/providers/google/compute/firewall.go

+7-1
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,13 @@ type FirewallRule struct {
1818
Enforced iacTypes.BoolValue
1919
IsAllow iacTypes.BoolValue
2020
Protocol iacTypes.StringValue
21-
Ports []iacTypes.IntValue
21+
Ports []PortRange
22+
}
23+
24+
type PortRange struct {
25+
Metadata iacTypes.Metadata
26+
Start iacTypes.IntValue
27+
End iacTypes.IntValue
2228
}
2329

2430
type IngressRule struct {

pkg/iac/rego/schemas/cloud.json

+38-1
Original file line numberDiff line numberDiff line change
@@ -1615,10 +1615,18 @@
16151615
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
16161616
}
16171617
},
1618+
"fromport": {
1619+
"type": "object",
1620+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
1621+
},
16181622
"protocol": {
16191623
"type": "object",
16201624
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
16211625
},
1626+
"toport": {
1627+
"type": "object",
1628+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
1629+
},
16221630
"type": {
16231631
"type": "object",
16241632
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
@@ -1677,6 +1685,18 @@
16771685
"description": {
16781686
"type": "object",
16791687
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
1688+
},
1689+
"fromport": {
1690+
"type": "object",
1691+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
1692+
},
1693+
"protocol": {
1694+
"type": "object",
1695+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
1696+
},
1697+
"toport": {
1698+
"type": "object",
1699+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
16801700
}
16811701
}
16821702
},
@@ -6086,7 +6106,7 @@
60866106
"type": "array",
60876107
"items": {
60886108
"type": "object",
6089-
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
6109+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange"
60906110
}
60916111
},
60926112
"protocol": {
@@ -6218,6 +6238,23 @@
62186238
}
62196239
}
62206240
},
6241+
"github.com.aquasecurity.trivy.pkg.iac.providers.google.compute.PortRange": {
6242+
"type": "object",
6243+
"properties": {
6244+
"__defsec_metadata": {
6245+
"type": "object",
6246+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.Metadata"
6247+
},
6248+
"end": {
6249+
"type": "object",
6250+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
6251+
},
6252+
"start": {
6253+
"type": "object",
6254+
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.IntValue"
6255+
}
6256+
}
6257+
},
62216258
"github.com.aquasecurity.trivy.pkg.iac.providers.google.compute.ProjectMetadata": {
62226259
"type": "object",
62236260
"properties": {

0 commit comments

Comments
 (0)