feat: QL src

GeekMasher · GeekMasher · commit 88dfbb2c1bf8 · 2023-08-14T17:33:56.000+01:00
diff --git a/ql/src/Security/Terraform/AWS/ESDisabledLogging.ql b/ql/src/Security/Terraform/AWS/ESDisabledLogging.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Elastic Search Logging Disabled
+ * @description Elastic Search Logging Disabled
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 6.0
+ * @precision high
+ * @id hcl/aws/elastic-search-disabled-logging
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_elasticsearch_domain" and
+  // Disabled by default (in-secure), if present the default if turned on (secure)
+  not r.hasAttribute("log_publishing_options")
+  or
+  exists(Block block |
+    block = r.getAttribute("log_publishing_options") and
+    r.getAttribute("enabled").(BooleanLiteral).getBool() = false and
+    block = r
+  )
+select r, "Logging Disabled"
diff --git a/ql/src/Security/Terraform/AWS/RDBUnencrypted.ql b/ql/src/Security/Terraform/AWS/RDBUnencrypted.ql
@@ -0,0 +1,19 @@
+/**
+ * @name RDS Database Unencrypted
+ * @description RDS Database Unencrypted
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/aws/rds-database-unencrytped
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_db_instance" and
+  not r.hasAttribute("storage_encrypted")
+// TODO: check if set to true
+select r, "S3 Bucket Unencrypted: \"" + r.getName() + "\""
diff --git a/ql/src/Security/Terraform/AWS/S3LoggingDisabled.ql b/ql/src/Security/Terraform/AWS/S3LoggingDisabled.ql
@@ -0,0 +1,20 @@
+/**
+ * @name S3 Bucket Logging Disabled
+ * @description S3 Bucket Logging Disabled
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/aws/s3-logging-disabled
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_s3_bucket" and
+  // Disable by default
+  not r.hasAttribute("logging")
+// target_bucket = "target-bucket"
+select r, "Logging disabled for: \"" + r.getName() + "\""
diff --git a/ql/src/Security/Terraform/AWS/S3PublicBucket.ql b/ql/src/Security/Terraform/AWS/S3PublicBucket.ql
@@ -0,0 +1,27 @@
+/**
+ * @name Public S3 Bucket
+ * @description Public S3 Bucket
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id hcl/aws/public-s3-bucket
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_s3_bucket" and
+  (
+    // Default is public
+    not r.hasAttribute("acl")
+    or
+    // If the ACL is set to "public-read"
+    exists(StringLiteral str |
+      str = r.getAttribute("acl") and
+      str.getValue() = "public-read"
+    )
+  )
+select r, "Public S3 Bucket resource"
diff --git a/ql/src/Security/Terraform/AWS/S3PublicBucketAccessEnabled.ql b/ql/src/Security/Terraform/AWS/S3PublicBucketAccessEnabled.ql
@@ -0,0 +1,19 @@
+/**
+ * @name S3 Access Policy Allows Public Buckets
+ * @description S3 Access Policy Allows Public Buckets
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id hcl/aws/s3-public-access-disabled
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_s3_bucket_public_access_block" and
+  not r.hasAttribute("restrict_public_buckets")
+// TODO: check if set to try
+select r, "Access Policy"
diff --git a/ql/src/Security/Terraform/AWS/S3UnencryptedBucket.ql b/ql/src/Security/Terraform/AWS/S3UnencryptedBucket.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Unencrytped S3 Bucket
+ * @description Unencrytped S3 Bucket
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/aws/unencrytped-s3-bucket
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "aws_s3_bucket" and
+  not r.hasAttribute("server_side_encryption_configuration")
+select r, "S3 Bucket Unencrypted: \"" + r.getName() + "\""
diff --git a/ql/src/Security/Terraform/AWS/S3VersioningDisabled.ql b/ql/src/Security/Terraform/AWS/S3VersioningDisabled.ql
@@ -0,0 +1,33 @@
+/**
+ * @name S3 Bucket Versioning Disabled
+ * @description S3 Bucket Versioning Disabled
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/aws/s3-versioning-disabled
+ * @tags security
+ */
+
+import hcl
+
+from Resource resource
+where
+  exists(Resource aws |
+    aws.getResourceType() = "aws_s3_bucket" and
+    // Disable by default
+    (
+      not aws.hasAttribute("versioning") and
+      resource = aws
+    )
+    or
+    exists(Block block |
+      // versioning {
+      //     enabled = false
+      // }
+      block = aws.getAttribute("versioning") and
+      block.getAttribute("enabled").(BooleanLiteral).getBool() = false and
+      block = resource
+    )
+  )
+select resource, "Versioning disabled for: \"" + resource.getName() + "\""
diff --git a/ql/src/Security/Terraform/Alicloud/PublicBucket.ql b/ql/src/Security/Terraform/Alicloud/PublicBucket.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Alicloud Public Bucket
+ * @description Elastic Search Logging Disabled
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id hcl/alicloud/public-bucket
+ * @tags security
+ */
+
+import hcl
+
+from Resource r
+where
+  r.getResourceType() = "alicloud_oss_bucket" and
+  exists(StringLiteral str |
+    str = r.getAttribute("acl") and
+    str.getValue() = "public-read-write"
+  )
+select r, "Public and Writeable"
diff --git a/ql/src/Security/Terraform/Azure/ManagedStorageUnencrypted.ql b/ql/src/Security/Terraform/Azure/ManagedStorageUnencrypted.ql
@@ -0,0 +1,26 @@
+/**
+ * @name Azure Managed Storage is Unencrypted
+ * @description Azure Storage is Unencrypted
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/azure/storage-unencrypted
+ * @tags security
+ */
+
+import hcl
+
+// https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk
+from Resource r, Block encryption_settings, Expr attr
+where
+  r.getResourceType() = "azurerm_managed_disk" and
+  // resource azurerm_managed_disk {
+  //   encryption_settings {
+  //     enabled = false
+  //   }
+  // }
+  encryption_settings = r.getAttribute("encryption_settings") and
+  attr = encryption_settings.getAttribute("enabled") and
+  attr.(BooleanLiteral).getBool() = false
+select attr, "Azure Storage is Unencrypted for '" + r.getName() + "'"
diff --git a/ql/src/Security/Terraform/Azure/SSLDisabled.ql b/ql/src/Security/Terraform/Azure/SSLDisabled.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Azure Service TLS/SSL Disable
+ * @description Azure Service TLS/SSL Disable
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id hcl/azure/ssl-disabled
+ * @tags security
+ */
+
+import hcl
+
+from Resource resource, Expr attr
+where
+  resource.getResourceType() = ["azurerm_mysql_server", "azurerm_postgresql_server"] and
+  attr = resource.getAttribute("ssl_enforcement_enabled")
+// TODO: attr check to make sure its false
+select attr, "TLS/SSL Disabled"
diff --git a/ql/src/Security/Terraform/Azure/WeakEncryption.ql b/ql/src/Security/Terraform/Azure/WeakEncryption.ql
@@ -0,0 +1,19 @@
+/**
+ * @name Azure Service TLS/SSL Weak Encryption
+ * @description Azure Service TLS/SSL Weak Encryption
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/azure/weak-encryption
+ * @tags security
+ */
+
+import hcl
+
+from Resource resource, Expr attr
+where
+  resource.getResourceType() = ["azurerm_mysql_server", "azurerm_postgresql_server"] and
+  attr = resource.getAttribute("ssl_minimal_tls_version_enforced") and
+  attr.(StringLiteral).getValue() = ["TLS1_0", "TLS1_1"]
+select attr, "Weak Encryption"
diff --git a/ql/src/Security/Terraform/EmbeddedScripts.ql b/ql/src/Security/Terraform/EmbeddedScripts.ql
@@ -0,0 +1,22 @@
+/**
+ * @name Embedded Scripts
+ * @description Embedded Scripts
+ * @kind problem
+ * @problem.severity note
+ * @security-severity 2.0
+ * @precision high
+ * @id hcl/machine-embedded-scripts
+ * @tags security
+ *       experimental
+ */
+
+import hcl
+
+from Resource resource, HereDoc data
+where
+  resource.getResourceType() = "aws_instance" and
+  data = resource.getAttribute("user_data")
+  or
+  resource.getResourceType() = "null_resource" and
+  data = resource.getAttribute("command")
+select data, "Embedded script found"
diff --git a/ql/src/Security/Terraform/GCP/ABACEnabled.ql b/ql/src/Security/Terraform/GCP/ABACEnabled.ql
@@ -0,0 +1,19 @@
+/**
+ * @name GCP ABAC Permissions enabled
+ * @description GCP ABAC Permissions enabled
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/gcp/abac-enabled
+ * @tags security
+ */
+
+import hcl
+
+from Resource resource, Expr attr
+where
+  resource.getResourceType() = "google_container_cluster" and
+  attr = resource.getAttribute("enable_legacy_abac")
+// TODO check if set to true
+select attr, "ABAC Enabled"
diff --git a/ql/src/Security/Terraform/GCP/ClusterPodSecurityPolicy.ql b/ql/src/Security/Terraform/GCP/ClusterPodSecurityPolicy.ql
@@ -0,0 +1,21 @@
+/**
+ * @name Cluster Pod Security Policy
+ * @description Cluster Pod Security Policy
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id hcl/gcp/cluster-pod-security-policy
+ * @tags security
+ */
+
+import hcl
+
+from Resource resource
+where
+  resource.getResourceType() = "google_container_cluster" and
+  not resource.hasAttribute("pod_security_policy_config")
+// or
+// attr = resource.getAttribute("pod_security_policy_config")
+// TODO check if set to true
+select resource, "No Pod Security Policy Defined"
diff --git a/ql/src/Security/Terraform/HardcodedPasswords.ql b/ql/src/Security/Terraform/HardcodedPasswords.ql
@@ -0,0 +1,39 @@
+/**
+ * @name Hardcoded Passwords
+ * @description Hardcoded Passwords
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id hcl/hardcoded-passwords
+ * @tags security
+ */
+
+import hcl
+
+from Expr e
+where
+  // Azure
+  exists(Resource r |
+    e = r.getAttribute("administrator_login_password")
+    or
+    // Username
+    e = r.getAttribute("administrator_login")
+  )
+  or
+  // AWS
+  exists(Block b |
+    b.hasType("provider") and
+    b.getLabel(0) = "aws" and
+    (
+      e = b.getAttribute("access_key")
+      or
+      e = b.getAttribute("secret_key")
+    )
+  )
+  or
+  exists(Resource r | r.getResourceType() = "aws_db_instance" |
+    e = r.getAttribute("username") or e = r.getAttribute("password")
+  )
+//
+select e, "Hardcoded Password"
diff --git a/ql/src/codeql-pack.lock.yml b/ql/src/codeql-pack.lock.yml
@@ -0,0 +1,8 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/util:
+    version: 0.0.4
+  codeql/yaml:
+    version: 0.1.2
+compiled: false
diff --git a/ql/src/codeql-suites/iac-code-scanning.qls b/ql/src/codeql-suites/iac-code-scanning.qls
@@ -0,0 +1,11 @@
+- description: Standard Code Scanning queries for HCL
+- queries: .
+- include:
+    kind:
+    - problem
+    tags contain:
+    - security
+
+- exclude:
+    tags contain:
+      - experimental
diff --git a/ql/src/qlpack.yml b/ql/src/qlpack.yml
@@ -0,0 +1,9 @@
+name: codeql/iac-queries
+version: 0.0.1-dev
+groups: 
+  - iac
+  - queries
+dependencies:
+  codeql/iac-all: ${workspace}
+extractor: iac
+defaultSuiteFile: codeql-suites/iac-code-scanning.qls
diff --git a/ql/src/queries.xml b/ql/src/queries.xml
@@ -0,0 +1 @@
+<queries language="iac"/>
