feat(tf): Improve resource, update Azure provider, and Public storage query

GeekMasher · GeekMasher · commit a72077f6ddf9 · 2024-09-25T09:38:24.000Z
diff --git a/ql/lib/codeql/hcl/Resources.qll b/ql/lib/codeql/hcl/Resources.qll
@@ -10,8 +10,16 @@ private import codeql.hcl.AST
 class Resource extends Block {
   Resource() { this.hasType("resource") }
 
+  /**
+   * Get the name of the resource.
+   */
   string getName() { result = this.getLabel(1) }
 
+  /**
+   * Get the provider of the resource.
+   */
+  string getProvider() { result = "Unknown Provider" }
+
   /**
    * Returns the resource id.
    */
diff --git a/ql/lib/codeql/hcl/providers/Azure.qll b/ql/lib/codeql/hcl/providers/Azure.qll
@@ -10,6 +10,8 @@ module Azure {
    */
   class AzureResource extends Resource, Block {
     AzureResource() { this.getResourceType().regexpMatch("^azurerm.*") }
+
+    override string getProvider() { result = "Azurerm" }
   }
 
   /**
@@ -78,6 +80,11 @@ module Azure {
   class StorageContainer extends AzureResource {
     StorageContainer() { this.getResourceType() = "azurerm_storage_container" }
 
+    /**
+     * Get the name of the storage container.
+     */
+    override string getName() { result = this.getAttribute("name").(StringLiteral).getValue() }
+
     string getContainerAccessType() {
       result = this.getAttribute("container_access_type").(StringLiteral).getValue()
     }
@@ -96,6 +103,11 @@ module Azure {
   class StorageAccount extends AzureResource {
     StorageAccount() { this.getResourceType() = "azurerm_storage_account" }
 
+    /**
+     * Get the name of the storage account.
+     */
+    override string getName() { result = this.getAttribute("name").(StringLiteral).getValue() }
+
     boolean getEnableHttpsTrafficOnly() {
       result = this.getAttribute("enable_https_traffic_only").(BooleanLiteral).getBool()
     }
diff --git a/ql/lib/codeql/hcl/security/PublicStorage.qll b/ql/lib/codeql/hcl/security/PublicStorage.qll
@@ -1,11 +1,13 @@
 import iac
 
-abstract class PublicStorage extends Expr { }
+abstract class PublicStorage extends Expr {
+  abstract string getName();
+}
 
 /**
  * Azure Public Storage.
  */
-class AzurePublicStorage extends PublicStorage {
+class AzurePublicStorage extends Azure::AzureResource, PublicStorage {
   AzurePublicStorage() {
     // Azure Storage Container
     exists(Azure::StorageContainer storage_container |
@@ -19,4 +21,6 @@ class AzurePublicStorage extends PublicStorage {
       storage_acount.getAllowNestedItemsToBePublic() = true
     )
   }
+
+  override string getName() { result = this.getName() }
 }
diff --git a/ql/src/security/Terraform/Azure/ManagedDisk/PublicAccess.ql b/ql/src/security/Terraform/Azure/ManagedDisk/PublicAccess.ql
@@ -13,10 +13,8 @@
  */
 
 import hcl
+import codeql.hcl.security.PublicStorage
 
 // https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk
-from Azure::StorageContainer managed_disk
-where
-  managed_disk.getContainerAccessType() = "blob" and
-  managed_disk.getProperty("publicAccess").(StringLiteral).getValue() = "blob"
-select managed_disk, "Azure Storage is Unencrypted for '" + managed_disk.getName() + "'"
+from AzurePublicStorage public_storage
+select public_storage, "Azure Storage is Public for '" + public_storage.getName() + "'"
