feat: add more nginx ingress modules

Signed-off-by: peefy <[email protected]>
kcl-lang · Nov 13, 2023 · e778aaa · e778aaa
1 parent 53259f4
commit e778aaa
Show file tree

Hide file tree

Showing 6 changed files with 66 additions and 0 deletions.
diff --git a/nginx-ingress-restrict-annotations/README.md b/nginx-ingress-restrict-annotations/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`nginx-ingress-restrict-annotations` is a KCL validation module.
+
+## Resource
+
+The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-annotations)
diff --git a/nginx-ingress-restrict-annotations/kcl.mod b/nginx-ingress-restrict-annotations/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "nginx-ingress-restrict-annotations"
+edition = "*"
+version = "0.1.0"
+description = "`nginx-ingress-restrict-annotations` is a KCL validation module"
diff --git a/nginx-ingress-restrict-annotations/main.k b/nginx-ingress-restrict-annotations/main.k
@@ -0,0 +1,24 @@
+"""
+This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values.
+See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go.
+This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the 
+"annotation-value-word-blocklist" configuration setting is also recommended. 
+Please refer to the CVE for details. 
+"""
+import regex
+
+invalid_anno_value_patterns = ["\\s*alias\\s*.*;", "\\s*root\\s*.*;", "/etc/(passwd|shadow|group|nginx|ingress-controller)", "/var/run/secrets", ".*_by_lua.*"]
+msg = "spec.metadata.annotations.values, invalid annotation value patterns ${invalid_anno_value_patterns}"
+validate_restrict_ingress_paths = lambda item {
+    if item.kind == "Ingress":
+        values = [v for _, v in item.metadata.annotations]
+        if values:
+            assert all v in values {
+                not any pattern in invalid_anno_value_patterns {
+                    regex.match(v, pattern)
+                }
+            }, msg
+    item
+}
+# Validate All resource
+items = [validate_restrict_ingress_paths(i) for i in option("items")]
diff --git a/nginx-ingress-restrict-paths/README.md b/nginx-ingress-restrict-paths/README.md
@@ -0,0 +1,7 @@
+## Introduction
+
+`nginx-ingress-restrict-paths` is a KCL validation module.
+
+## Resource
+
+The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-paths)
diff --git a/nginx-ingress-restrict-paths/kcl.mod b/nginx-ingress-restrict-paths/kcl.mod
@@ -0,0 +1,5 @@
+[package]
+name = "nginx-ingress-restrict-paths"
+edition = "*"
+version = "0.1.0"
+description = "`nginx-ingress-restrict-paths` is a KCL validation module"
diff --git a/nginx-ingress-restrict-paths/main.k b/nginx-ingress-restrict-paths/main.k
@@ -0,0 +1,18 @@
+"""
+This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values.
+Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. 
+Please refer to the CVE for details.
+"""
+invalid_paths = ["/etc", "/var/run/secrets", "/root", "/var/run/kubernetes/serviceaccount", "/etc/kubernetes/admin.conf"]
+msg = "spec.rules[].http.paths[].path value is not allowed, invalid values ${invalid_paths}"
+validate_restrict_ingress_paths = lambda item {
+    if item.kind == "Ingress":
+        paths = [p.path for r in item.spec.rules for p in r.http.paths]
+        if paths:
+            assert all path in paths {
+                path not in invalid_paths
+            }, msg
+    item
+}
+# Validate All resource
+items = [validate_restrict_ingress_paths(i) for i in option("items")]