Skip to content

Commit

Permalink
Merge pull request #73 from Peefy/add-more-nginx-ingress-modules
Browse files Browse the repository at this point in the history
feat: add more nginx ingress modules
  • Loading branch information
Peefy authored Nov 13, 2023
2 parents 66467f5 + e778aaa commit 7057deb
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 0 deletions.
7 changes: 7 additions & 0 deletions nginx-ingress-restrict-annotations/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`nginx-ingress-restrict-annotations` is a KCL validation module.

## Resource

The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-annotations)
5 changes: 5 additions & 0 deletions nginx-ingress-restrict-annotations/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "nginx-ingress-restrict-annotations"
edition = "*"
version = "0.1.0"
description = "`nginx-ingress-restrict-annotations` is a KCL validation module"
24 changes: 24 additions & 0 deletions nginx-ingress-restrict-annotations/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
"""
This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values.
See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go.
This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the
"annotation-value-word-blocklist" configuration setting is also recommended.
Please refer to the CVE for details.
"""
import regex

invalid_anno_value_patterns = ["\\s*alias\\s*.*;", "\\s*root\\s*.*;", "/etc/(passwd|shadow|group|nginx|ingress-controller)", "/var/run/secrets", ".*_by_lua.*"]
msg = "spec.metadata.annotations.values, invalid annotation value patterns ${invalid_anno_value_patterns}"
validate_restrict_ingress_paths = lambda item {
if item.kind == "Ingress":
values = [v for _, v in item.metadata.annotations]
if values:
assert all v in values {
not any pattern in invalid_anno_value_patterns {
regex.match(v, pattern)
}
}, msg
item
}
# Validate All resource
items = [validate_restrict_ingress_paths(i) for i in option("items")]
7 changes: 7 additions & 0 deletions nginx-ingress-restrict-paths/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
## Introduction

`nginx-ingress-restrict-paths` is a KCL validation module.

## Resource

The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-paths)
5 changes: 5 additions & 0 deletions nginx-ingress-restrict-paths/kcl.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[package]
name = "nginx-ingress-restrict-paths"
edition = "*"
version = "0.1.0"
description = "`nginx-ingress-restrict-paths` is a KCL validation module"
18 changes: 18 additions & 0 deletions nginx-ingress-restrict-paths/main.k
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
"""
This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values.
Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0.
Please refer to the CVE for details.
"""
invalid_paths = ["/etc", "/var/run/secrets", "/root", "/var/run/kubernetes/serviceaccount", "/etc/kubernetes/admin.conf"]
msg = "spec.rules[].http.paths[].path value is not allowed, invalid values ${invalid_paths}"
validate_restrict_ingress_paths = lambda item {
if item.kind == "Ingress":
paths = [p.path for r in item.spec.rules for p in r.http.paths]
if paths:
assert all path in paths {
path not in invalid_paths
}, msg
item
}
# Validate All resource
items = [validate_restrict_ingress_paths(i) for i in option("items")]

0 comments on commit 7057deb

Please sign in to comment.