feat(tf): Update Azure provider and PublicStorage

GeekMasher · GeekMasher · commit 4104c729662d · 2024-09-25T15:29:46.000Z
diff --git a/ql/lib/codeql/hcl/Resources.qll b/ql/lib/codeql/hcl/Resources.qll
@@ -1,5 +1,6 @@
 private import codeql.Locations
 private import codeql.hcl.AST
+private import codeql.hcl.Terraform::Terraform
 
 // Resources are the most important element in the Terraform language.
 // Each resource block describes one or more infrastructure objects, such as
@@ -18,7 +19,7 @@ class Resource extends Block {
   /**
    * Get the provider of the resource.
    */
-  string getProvider() { result = "Unknown Provider" }
+  RequiredProvider getProvider() { none() }
 
   /**
    * Returns the resource id.
diff --git a/ql/lib/codeql/hcl/Terraform.qll b/ql/lib/codeql/hcl/Terraform.qll
@@ -1,5 +1,6 @@
 private import codeql.files.FileSystem
 private import codeql.hcl.AST
+private import codeql.iac.Dependencies
 private import Resources
 
 module Terraform {
@@ -42,12 +43,21 @@ module Terraform {
      */
     abstract string getVersion();
 
+    /**
+     * Gets the semantic version of the provider.
+     */
+    abstract SemanticVersion getSemanticVersion();
+
     /**
      * Gets the source of the provider.
      */
     abstract string getSource();
   }
 
+  RequiredProvider getProviderByName(string name) {
+    exists(RequiredProvider provider | provider.getName() = name)
+  }
+
   /**
    * Basic Terraform required provider String.
    */
@@ -62,6 +72,8 @@ module Terraform {
 
     override string getVersion() { result = this.getValue() }
 
+    override SemanticVersion getSemanticVersion() { result = this.getValue() }
+
     /**
      * Basic providers are assumed to be from the Hashicorp namespace.
      */
@@ -93,5 +105,7 @@ module Terraform {
     override string getVersion() {
       result = this.getElementByName("version").(StringLiteral).getValue()
     }
+
+    override SemanticVersion getSemanticVersion() { result = this.getVersion() }
   }
 }
diff --git a/ql/lib/codeql/hcl/providers/Azure.qll b/ql/lib/codeql/hcl/providers/Azure.qll
@@ -1,6 +1,7 @@
 private import codeql.hcl.AST
 private import codeql.hcl.Resources
 private import codeql.hcl.Constants
+private import codeql.hcl.Terraform::Terraform
 
 module Azure {
   /**
@@ -11,7 +12,7 @@ module Azure {
   class AzureResource extends Resource, Block {
     AzureResource() { this.getResourceType().regexpMatch("^azurerm.*") }
 
-    override string getProvider() { result = "Azurerm" }
+    override RequiredProvider getProvider() { result = getProviderByName("azurerm") }
   }
 
   /**
@@ -108,14 +109,36 @@ module Azure {
      */
     override string getName() { result = this.getAttribute("name").(StringLiteral).getValue() }
 
+    /**
+     * Get the `allow_blob_public_access` property of the storage account. Only available
+     * for `azurerm` v2 and not v3 onwards.
+     *
+     * https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG-v3.md
+     */
+    boolean getAllowBlobPublicAccess() {
+      this.getProvider().getSemanticVersion().maybeBefore("3.0.0") and
+      result = this.getAttribute("allow_blob_public_access").(BooleanLiteral).getBool()
+      or
+      result = false
+    }
+
+    /**
+     * Get the `public_network_access_enabled` property of the storage account.
+     */
     boolean getEnableHttpsTrafficOnly() {
       result = this.getAttribute("enable_https_traffic_only").(BooleanLiteral).getBool()
     }
 
+    /**
+     * Get the `public_network_access_enabled` property of the storage account.
+     */
     boolean getPublicNetworkAccess() {
       result = this.getAttribute("public_network_access_enabled").(BooleanLiteral).getBool()
     }
 
+    /**
+     * Get the `allow_nested_items_to_be_public` property of the storage account.
+     */
     boolean getAllowNestedItemsToBePublic() {
       result = this.getAttribute("allow_nested_items_to_be_public").(BooleanLiteral).getBool()
     }
diff --git a/ql/lib/codeql/hcl/security/PublicStorage.qll b/ql/lib/codeql/hcl/security/PublicStorage.qll
@@ -15,8 +15,11 @@ class AzurePublicStorage extends Azure::AzureResource, PublicStorage {
       storage_container.getProperty("publicAccess").(StringLiteral).getValue() = "blob"
     )
     or
-    // Azure Storage Accounts (v3)
+    // Azure Storage Accounts
     exists(Azure::StorageAccount storage_acount |
+      // v2
+      storage_acount.getAllowBlobPublicAccess() = true or
+      // v3
       storage_acount.getPublicNetworkAccess() = true or
       storage_acount.getAllowNestedItemsToBePublic() = true
     )
diff --git a/ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/storage.tf b/ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/storage.tf
@@ -13,3 +13,16 @@ resource "azurerm_storage_container" "insecure" {
     "publicAccess" = "blob"
   }
 }
+
+# insecure (v3)
+resource "azurerm_storage_account" "insecure_storage_account" {
+  name                            = "insecure-storage-account"
+  location                        = var.location
+  account_kind                    = var.kind
+  account_tier                    = var.tier
+  account_replication_type        = var.replication_type
+  resource_group_name             = var.resource_group_name
+  public_network_access_enabled   = true
+  allow_nested_items_to_be_public = true
+  min_tls_version                 = var.min_tls_version
+}

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,11 @@ class AzurePublicStorage extends Azure::AzureResource, PublicStorage {`
`15`	`15`	`storage_container.getProperty("publicAccess").(StringLiteral).getValue() = "blob"`
`16`	`16`	`)`
`17`	`17`	`or`
`18`		`- // Azure Storage Accounts (v3)`
	`18`	`+ // Azure Storage Accounts`
`19`	`19`	`exists(Azure::StorageAccount storage_acount \|`
	`20`	`+ // v2`
	`21`	`+ storage_acount.getAllowBlobPublicAccess() = true or`
	`22`	`+ // v3`
`20`	`23`	`storage_acount.getPublicNetworkAccess() = true or`
`21`	`24`	`storage_acount.getAllowNestedItemsToBePublic() = true`
`22`	`25`	`)`