GitHubSecurityLab
diff --git a/‎ql/lib/codeql/bicep/frameworks/Microsoft/Authorization.qll‎
Lines changed: 191 additions & 0 deletions b/‎ql/lib/codeql/bicep/frameworks/Microsoft/Authorization.qll‎
Lines changed: 191 additions & 0 deletions
diff --git a/‎ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll‎
Lines changed: 83 additions & 0 deletions b/‎ql/lib/codeql/bicep/security/OverlyPermissiveAccessControl.qll‎
Lines changed: 83 additions & 0 deletions
@@ -0,0 +1,191 @@
+/**
+ * Authorization resource framework for Microsoft.Authorization resources in Bicep.
+ *
+ * Provides classes for working with Azure role assignments and other authorization resources.
+ *
+ * Classes:
+ * - RoleAssignmentResource: Represents Microsoft.Authorization/roleAssignments resources.
+ * - RoleAssignmentProperties: Properties object for role assignments.
+ */
+
+private import bicep
+private import codeql.bicep.frameworks.Microsoft.General
+
+module Authorization {
+  private import RoleAssignmentProperties
+
+  /**
+   * Represents a Microsoft.Authorization/roleAssignments resource in a Bicep file.
+   * See: https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments
+   */
+  class RoleAssignmentResource extends AzureResource {
+    /**
+     * Constructs a RoleAssignmentResource for Microsoft.Authorization/roleAssignments resources.
+     */
+    RoleAssignmentResource() {
+      this.getResourceType().regexpMatch("^Microsoft.Authorization/roleAssignments@.*")
+    }
+
+    /**
+     * Returns the properties object for the role assignment resource.
+     */
+    Properties getProperties() { result = this.getProperty("properties") }
+
+    /**
+     * Returns the scope property of the role assignment.
+     * This can be a reference to a subscription, resource group, or specific resource.
+     */
+    Expr getScope() { result = this.getProperty("scope") }
+
+    /**
+     * Returns the name property of the role assignment (typically a GUID).
+     */
+    StringLiteral getName() { result = this.getProperty("name") }
+
+    /**
+     * Gets the role definition ID from the properties.
+     * This identifies which Azure built-in or custom role is being assigned.
+     * It may be a direct string literal or extracted from a function call.
+     */
+    string getRoleDefinitionId() { 
+      result = this.getProperties().getRoleDefinitionId()
+    }
+
+    /**
+     * Gets the principal ID from the properties.
+     * This identifies the user, group, or service principal receiving the role assignment.
+     */
+    string getPrincipalId() { result = this.getProperties().getPrincipalId() }
+
+    /**
+     * Gets the principal type from the properties.
+     * This indicates whether the principal is a User, Group, or ServicePrincipal.
+     */
+    string getPrincipalType() { result = this.getProperties().getPrincipalType() }
+
+    /**
+     * Determines if this is a subscription-scoped role assignment.
+     */
+    predicate isSubscriptionScoped() {
+      exists(CallExpression call |
+        call = this.getScope() and
+        call.getName() = "subscription"
+      )
+    }
+
+    /**
+     * Determines if this is a resource group-scoped role assignment.
+     */
+    predicate isResourceGroupScoped() {
+      exists(CallExpression call |
+        call = this.getScope() and
+        call.getName() = "resourceGroup"
+      )
+    }
+
+    /**
+     * Determines if this role assignment has a broad scope (subscription or resource group).
+     */
+    predicate hasBroadScope() {
+      this.isSubscriptionScoped() or this.isResourceGroupScoped()
+    }
+
+    /**
+     * Determines if this role assignment grants a powerful built-in role.
+     * Checks for common powerful roles like Owner and Contributor.
+     */
+    predicate grantsPrivilegedRole() {
+      exists(string roleId | roleId = this.getRoleDefinitionId() |
+        // Owner role
+        roleId = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" or
+        // Contributor role  
+        roleId = "b24988ac-6180-42a0-ab88-20f7382dd24c" or
+        // User Access Administrator role
+        roleId = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9"
+      )
+    }
+
+    /**
+     * Determines if this role assignment is overly permissive.
+     * This checks for privileged roles assigned at broad scopes.
+     */
+    predicate isOverlyPermissive() {
+      this.hasBroadScope() and this.grantsPrivilegedRole()
+    }
+  }
+
+  /**
+   * Module containing property classes for role assignment resources.
+   */
+  private module RoleAssignmentProperties {
+    /**
+     * Represents the properties object of a role assignment resource.
+     */
+    class Properties extends ResourceProperties {
+      private RoleAssignmentResource parent;
+
+      /**
+       * Constructor for the Properties class.
+       */
+      Properties() { this = parent.getProperty("properties") }
+
+      /**
+       * Gets the role definition ID property.
+       */
+      Expr getRoleDefinitionIdProperty() { result = this.getProperty("roleDefinitionId") }
+
+      /**
+       * Returns the role definition ID as a string.
+       * This handles both direct string literals and subscriptionResourceId function calls.
+       */
+      string getRoleDefinitionId() { 
+        // Direct string literal
+        result = this.getRoleDefinitionIdProperty().(StringLiteral).getValue()
+        or
+        // Extract from subscriptionResourceId function call
+        exists(CallExpression call |
+          call = this.getRoleDefinitionIdProperty() and
+          call.getName() = "subscriptionResourceId" and
+          result = call.getArgument(1).(StringLiteral).getValue()
+        )
+      }
+
+      /**
+       * Determines if the role definition ID property exists.
+       */
+      predicate hasRoleDefinitionId() { exists(this.getRoleDefinitionIdProperty()) }
+
+      /**
+       * Gets the principal ID property.
+       */
+      Expr getPrincipalIdProperty() { result = this.getProperty("principalId") }
+
+      /**
+       * Returns the principal ID as a string.
+       */
+      string getPrincipalId() { result = this.getPrincipalIdProperty().(StringLiteral).getValue() }
+
+      /**
+       * Determines if the principal ID property exists.
+       */
+      predicate hasPrincipalId() { exists(this.getPrincipalIdProperty()) }
+
+      /**
+       * Gets the principal type property.
+       */
+      Expr getPrincipalTypeProperty() { result = this.getProperty("principalType") }
+
+      /**
+       * Returns the principal type as a string.
+       */
+      string getPrincipalType() { result = this.getPrincipalTypeProperty().(StringLiteral).getValue() }
+
+      /**
+       * Determines if the principal type property exists.
+       */
+      predicate hasPrincipalType() { exists(this.getPrincipalTypeProperty()) }
+
+      override string toString() { result = "RoleAssignmentProperties" }
+    }
+  }
+}
@@ -0,0 +1,83 @@
+/**
+ * Security library for detecting overly permissive access control in Bicep templates.
+ * 
+ * This module provides classes and predicates to identify role assignments that grant
+ * excessive privileges, particularly broad roles assigned at large scopes.
+ */
+
+private import bicep
+private import codeql.bicep.dataflow.DataFlow
+private import codeql.bicep.frameworks.Microsoft.Authorization
+
+module OverlyPermissiveAccessControl {
+  /** A data flow source for overly permissive access control vulnerabilities. */
+  abstract class Source extends DataFlow::Node { }
+
+  /** A data flow sink for overly permissive access control vulnerabilities. */
+  abstract class Sink extends DataFlow::Node { }
+
+  /** A sanitizer for overly permissive access control vulnerabilities. */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /**
+   * A role assignment resource that grants privileged roles at broad scopes.
+   */
+  private class OverlyPermissiveRoleAssignment extends Source {
+    Authorization::RoleAssignmentResource roleAssignment;
+
+    OverlyPermissiveRoleAssignment() {
+      this.asExpr() = roleAssignment.getResourceDeclaration() and
+      roleAssignment.isOverlyPermissive()
+    }
+
+    /**
+     * Gets the role assignment resource.
+     */
+    Authorization::RoleAssignmentResource getRoleAssignment() { result = roleAssignment }
+
+    /**
+     * Gets a description of why this role assignment is overly permissive.
+     */
+    string getDescription() {
+      exists(string role, string scope |
+        (
+          roleAssignment.getRoleDefinitionId() = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" and
+          role = "Owner"
+          or
+          roleAssignment.getRoleDefinitionId() = "b24988ac-6180-42a0-ab88-20f7382dd24c" and
+          role = "Contributor"
+          or
+          roleAssignment.getRoleDefinitionId() = "18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" and
+          role = "User Access Administrator"
+        ) and
+        (
+          roleAssignment.isSubscriptionScoped() and scope = "subscription"
+          or
+          roleAssignment.isResourceGroupScoped() and scope = "resource group"
+        ) and
+        result = role + " role assigned at " + scope + " scope"
+      )
+    }
+  }
+
+  /**
+   * Predicate to identify role assignments with overly broad scope.
+   */
+  predicate hasOverlyBroadScope(Authorization::RoleAssignmentResource roleAssignment) {
+    roleAssignment.hasBroadScope()
+  }
+
+  /**
+   * Predicate to identify role assignments with privileged roles.
+   */
+  predicate grantsPrivilegedRole(Authorization::RoleAssignmentResource roleAssignment) {
+    roleAssignment.grantsPrivilegedRole()
+  }
+
+  /**
+   * Predicate to identify role assignments that are overly permissive.
+   */
+  predicate isOverlyPermissive(Authorization::RoleAssignmentResource roleAssignment) {
+    roleAssignment.isOverlyPermissive()
+  }
+}