feat(tf): Update PublicStorage and tests

GeekMasher · GeekMasher · commit 5729f59170fb · 2024-09-25T17:21:52.000+01:00
diff --git a/ql/lib/codeql/hcl/providers/Azure.qll b/ql/lib/codeql/hcl/providers/Azure.qll
@@ -109,38 +109,54 @@ module Azure {
      */
     override string getName() { result = this.getAttribute("name").(StringLiteral).getValue() }
 
+    Expr getAllowBlobPublicAccess() {
+      this.getProvider().getSemanticVersion().maybeBefore("3.0.0") and
+      result = this.getAttribute("allow_blob_public_access")
+    }
+
     /**
      * Get the `allow_blob_public_access` property of the storage account. Only available
      * for `azurerm` v2 and not v3 onwards.
      *
      * https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG-v3.md
      */
-    boolean getAllowBlobPublicAccess() {
-      this.getProvider().getSemanticVersion().maybeBefore("3.0.0") and
-      result = this.getAttribute("allow_blob_public_access").(BooleanLiteral).getBool()
+    boolean getAllowBlobPublicAccessValue() {
+      result = this.getAllowBlobPublicAccess().(BooleanLiteral).getBool()
       or
       result = false
     }
 
+    Expr getEnableHttpsTrafficOnly() {
+      result = this.getAttribute("enable_https_traffic_only")
+    }
+
     /**
      * Get the `public_network_access_enabled` property of the storage account.
      */
-    boolean getEnableHttpsTrafficOnly() {
-      result = this.getAttribute("enable_https_traffic_only").(BooleanLiteral).getBool()
+    boolean getEnableHttpsTrafficOnlyValue() {
+      result = this.getEnableHttpsTrafficOnly().(BooleanLiteral).getBool()
+    }
+
+    Expr getPublicNetworkAccess() {
+      result = this.getAttribute("public_network_access_enabled")
     }
 
     /**
      * Get the `public_network_access_enabled` property of the storage account.
      */
-    boolean getPublicNetworkAccess() {
-      result = this.getAttribute("public_network_access_enabled").(BooleanLiteral).getBool()
+    boolean getPublicNetworkAccessValue() {
+      result = this.getPublicNetworkAccess().(BooleanLiteral).getBool()
+    }
+
+    Expr getAllowNestedItemsToBePublic() {
+      result = this.getAttribute("allow_nested_items_to_be_public")
     }
 
     /**
      * Get the `allow_nested_items_to_be_public` property of the storage account.
      */
-    boolean getAllowNestedItemsToBePublic() {
-      result = this.getAttribute("allow_nested_items_to_be_public").(BooleanLiteral).getBool()
+    boolean getAllowNestedItemsToBePublicValue() {
+      result = this.getPublicNetworkAccess().(BooleanLiteral).getBool()
     }
   }
 
diff --git a/ql/lib/codeql/hcl/security/PublicStorage.qll b/ql/lib/codeql/hcl/security/PublicStorage.qll
@@ -1,29 +1,39 @@
 import iac
 
 abstract class PublicStorage extends Expr {
-  abstract string getName();
+  abstract string getProvider();
 }
 
 /**
  * Azure Public Storage.
  */
-class AzurePublicStorage extends Azure::AzureResource, PublicStorage {
+class AzurePublicStorage extends PublicStorage {
   AzurePublicStorage() {
     // Azure Storage Container
     exists(Azure::StorageContainer storage_container |
       storage_container.getContainerAccessType() = "blob" and
       storage_container.getProperty("publicAccess").(StringLiteral).getValue() = "blob"
+      and
+      this = storage_container.getProperty("publicAccess")
     )
     or
     // Azure Storage Accounts
     exists(Azure::StorageAccount storage_acount |
-      // v2
-      storage_acount.getAllowBlobPublicAccess() = true or
-      // v3
-      storage_acount.getPublicNetworkAccess() = true or
-      storage_acount.getAllowNestedItemsToBePublic() = true
+      (
+        // v2
+        storage_acount.getAllowBlobPublicAccessValue() = true and
+        this = storage_acount.getAllowBlobPublicAccess()
+        ) or
+        (
+          // v3
+          storage_acount.getAllowNestedItemsToBePublicValue() = true
+          and
+          this = storage_acount.getAllowNestedItemsToBePublic()
+        )
     )
   }
 
-  override string getName() { result = this.getName() }
+  override string getProvider() {
+    result = "Azure"
+  }
 }
diff --git a/ql/src/security/Terraform/Azure/ManagedDisk/PublicAccess.ql b/ql/src/security/Terraform/Azure/ManagedDisk/PublicAccess.ql
@@ -17,4 +17,4 @@ import codeql.hcl.security.PublicStorage
 
 // https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk
 from AzurePublicStorage public_storage
-select public_storage, "Azure Storage is Public for '" + public_storage.getName() + "'"
+select public_storage, "Azure Storage is Public"
diff --git a/ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/PublicAccess.expected b/ql/test/queries-tests/Terraform/Azure/Storage/PublicAccess/PublicAccess.expected
@@ -1 +1,2 @@
-| storage.tf:9:1:15:1 | resource azurerm_storage_container insecure | Azure Storage is Unencrypted for 'insecure' |
+| storage.tf:13:22:13:27 | blob | Azure Storage is Public |
+| storage.tf:26:37:26:40 | true | Azure Storage is Public |

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-\| storage.tf:9:1:15:1 \| resource azurerm_storage_container insecure \| Azure Storage is Unencrypted for 'insecure' \|`
	`1`	`+\| storage.tf:13:22:13:27 \| blob \| Azure Storage is Public \|`
	`2`	`+\| storage.tf:26:37:26:40 \| true \| Azure Storage is Public \|`