Add policy examples for nginx cves 5044, 5043, and 4886. (#832)

* Add policy examples for nginx cves 5044, 5043, and 4886. * update version.txt * update changelog * update rok8s-scripts * added new line to trigger pipeline * removed return * Update version.txt * Update config.yml change from 13.1.1 to 12.1.1
FairwindsOps · Nov 20, 2023 · 3f6d864 · 3f6d864
1 parent 40f9644
commit 3f6d864
Show file tree

Hide file tree

Showing 13 changed files with 179 additions and 3 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 orbs:
   slack: circleci/[email protected]
-  rok8s-scripts: fairwinds/rok8s-scripts@11.13
+  rok8s-scripts: fairwinds/rok8s-scripts@12.1.1
 
 commands:
   install_goreleaser_dependencies:

diff --git a/plugins/opa/CHANGELOG.md b/plugins/opa/CHANGELOG.md
@@ -1,11 +1,16 @@
 # Changelog
 
+
+## 2.4.0
+* add checks for nginx cves 4886, 5054, and 5043
+
 ## 2.3.2
 * update dependencies
 
 ## 2.3.1
 * Update to go 1.21
 
+
 ## 2.3.0
 * migrate opa plugin from go-funk to lo
 

diff --git a/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.failure.yaml b/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.failure.yaml
@@ -0,0 +1,22 @@
+# This manifest is used to test the accompanying OPA policy.
+# Applying this in your cluster could create a security vulnerability!
+# This deployment is for policy testing/validation only!
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        # This will cause the policy to fail.
+        pathType: ImplementationSpecific
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.rego b/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.rego
@@ -0,0 +1,13 @@
+package fairwinds
+
+noImplementationSpecificPathType[actionItem] {
+  input.kind == "Ingress"
+  input.spec.rules[_].http.paths[_].pathType == "ImplementationSpecific"
+  actionItem := {
+    "title": "Ingress is using pathType ImplementationSpecific",
+    "description": "CVE-2023-4886",
+    "remediation": "ImplementationSpecific should be replaced with Exact or Prefix if possible",
+    "category": "Security",
+    "severity": 0.7,
+  }
+}
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.success.yaml b/plugins/opa/examples-v2/nginx-cve-2023-4886/policy.success.yaml
@@ -0,0 +1,20 @@
+# This manifest is used to test the accompanying OPA policy.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        pathType: Exact
+# Lack of a ImplementationSpecific pathType will cause the policy to succeed.
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.failure.yaml b/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.failure.yaml
@@ -0,0 +1,25 @@
+# This manifest is used to test the accompanying OPA policy.
+# Applying this in your cluster could create a security vulnerability!
+# This deployment is for policy testing/validation only!
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+  # This annotation will cause the policy to fail
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "Request-Id: $req_id";
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        pathType: Exact
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.rego b/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.rego
@@ -0,0 +1,13 @@
+package fairwinds
+
+noConfigurationSnippet[actionItem] {
+  input.kind == "Ingress"
+  input.metadata.annotations["nginx.ingress.kubernetes.io/configuration-snippet"]
+  actionItem := {
+    "title": "Ingress is using configuration snippet annotation",
+    "description": "CVE-2023-5043",
+    "remediation": "Annotation validation should be enabled in the cluster",
+    "category": "Security",
+    "severity": 0.7,
+  }
+}
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.success.yaml b/plugins/opa/examples-v2/nginx-cve-2023-5043/policy.success.yaml
@@ -0,0 +1,20 @@
+# This manifest is used to test the accompanying OPA policy.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+# no configuration snippet annotation will allow this policy to succeed
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        pathType: Exact
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.failure.yaml b/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.failure.yaml
@@ -0,0 +1,24 @@
+# This manifest is used to test the accompanying OPA policy.
+# Applying this in your cluster could create a security vulnerability!
+# This deployment is for policy testing/validation only!
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+  # This annotation will cause the policy to fail
+    nginx.ingress.kubernetes.io/permanent-redirect: "www.yahoo.com"
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        pathType: Exact
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.rego b/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.rego
@@ -0,0 +1,13 @@
+package fairwinds
+
+noPermanentRedirect[actionItem] {
+  input.kind == "Ingress"
+  input.metadata.annotations["nginx.ingress.kubernetes.io/permanent-redirect"]
+  actionItem := {
+    "title": "Ingress is using permanent redirect annotation",
+    "description": "CVE-2023-5044",
+    "remediation": "Annotation validation should be enabled in the cluster",
+    "category": "Security",
+    "severity": 0.7,
+  }
+}
diff --git a/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.success.yaml b/plugins/opa/examples-v2/nginx-cve-2023-5044/policy.success.yaml
@@ -0,0 +1,20 @@
+# This manifest is used to test the accompanying OPA policy.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+# Lack of a permanent redirect annotation will cause this policy to succeed
+  name: ingress-object
+  namespace: staging
+spec:
+  ingressClassName: nginx-ingress
+  rules:
+  - host: tofu.yahoo.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: tofu-svc
+            port:
+              number: 3000
+        path: /
+        pathType: Exact
diff --git a/plugins/opa/version.txt b/plugins/opa/version.txt
@@ -1 +1,3 @@
-2.3.2
+2.4.0
+
+
diff --git a/scripts/bump-changed.sh b/scripts/bump-changed.sh
@@ -27,4 +27,3 @@ for d in ./plugins/*/ ; do
     tail -n+2 $d/CHANGELOG.md >> /tmp/CHANGELOG.md
     mv /tmp/CHANGELOG.md $d/CHANGELOG.md
 done
-
Original file line number	Diff line number	Diff line change
Expand Up		@@ -27,4 +27,3 @@ for d in ./plugins/*/ ; do
		tail -n+2 $d/CHANGELOG.md >> /tmp/CHANGELOG.md
		mv /tmp/CHANGELOG.md $d/CHANGELOG.md
		done