diff --git a/nginx-ingress-restrict-annotations/README.md b/nginx-ingress-restrict-annotations/README.md new file mode 100644 index 00000000..5a9d9c25 --- /dev/null +++ b/nginx-ingress-restrict-annotations/README.md @@ -0,0 +1,7 @@ +## Introduction + +`nginx-ingress-restrict-annotations` is a KCL validation module. + +## Resource + +The Code source and document are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-annotations) diff --git a/nginx-ingress-restrict-annotations/kcl.mod b/nginx-ingress-restrict-annotations/kcl.mod new file mode 100644 index 00000000..ecc8baea --- /dev/null +++ b/nginx-ingress-restrict-annotations/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "nginx-ingress-restrict-annotations" +edition = "*" +version = "0.1.0" +description = "`nginx-ingress-restrict-annotations` is a KCL validation module" diff --git a/nginx-ingress-restrict-annotations/main.k b/nginx-ingress-restrict-annotations/main.k new file mode 100644 index 00000000..7ec91777 --- /dev/null +++ b/nginx-ingress-restrict-annotations/main.k @@ -0,0 +1,24 @@ +""" +This policy mitigates CVE-2021-25746 by restricting `metadata.annotations` to safe values. +See: https://github.com/kubernetes/ingress-nginx/blame/main/internal/ingress/inspector/rules.go. +This issue has been fixed in NGINX Ingress v1.2.0. For NGINX Ingress version 1.0.5+ the +"annotation-value-word-blocklist" configuration setting is also recommended. +Please refer to the CVE for details. +""" +import regex + +invalid_anno_value_patterns = ["\\s*alias\\s*.*;", "\\s*root\\s*.*;", "/etc/(passwd|shadow|group|nginx|ingress-controller)", "/var/run/secrets", ".*_by_lua.*"] +msg = "spec.metadata.annotations.values, invalid annotation value patterns ${invalid_anno_value_patterns}" +validate_restrict_ingress_paths = lambda item { + if item.kind == "Ingress": + values = [v for _, v in item.metadata.annotations] + if values: + assert all v in values { + not any pattern in invalid_anno_value_patterns { + regex.match(v, pattern) + } + }, msg + item +} +# Validate All resource +items = [validate_restrict_ingress_paths(i) for i in option("items")] diff --git a/nginx-ingress-restrict-paths/README.md b/nginx-ingress-restrict-paths/README.md new file mode 100644 index 00000000..182b0423 --- /dev/null +++ b/nginx-ingress-restrict-paths/README.md @@ -0,0 +1,7 @@ +## Introduction + +`nginx-ingress-restrict-paths` is a KCL validation module. + +## Resource + +The Code source and documents are [here](https://github.com/kcl-lang/modules/tree/main/nginx-ingress/nginx-ingress-restrict-paths) diff --git a/nginx-ingress-restrict-paths/kcl.mod b/nginx-ingress-restrict-paths/kcl.mod new file mode 100644 index 00000000..24548bf5 --- /dev/null +++ b/nginx-ingress-restrict-paths/kcl.mod @@ -0,0 +1,5 @@ +[package] +name = "nginx-ingress-restrict-paths" +edition = "*" +version = "0.1.0" +description = "`nginx-ingress-restrict-paths` is a KCL validation module" diff --git a/nginx-ingress-restrict-paths/main.k b/nginx-ingress-restrict-paths/main.k new file mode 100644 index 00000000..0dad0b04 --- /dev/null +++ b/nginx-ingress-restrict-paths/main.k @@ -0,0 +1,18 @@ +""" +This policy mitigates CVE-2021-25745 by restricting `spec.rules[].http.paths[].path` to safe values. +Additional paths can be added as required. This issue has been fixed in NGINX Ingress v1.2.0. +Please refer to the CVE for details. +""" +invalid_paths = ["/etc", "/var/run/secrets", "/root", "/var/run/kubernetes/serviceaccount", "/etc/kubernetes/admin.conf"] +msg = "spec.rules[].http.paths[].path value is not allowed, invalid values ${invalid_paths}" +validate_restrict_ingress_paths = lambda item { + if item.kind == "Ingress": + paths = [p.path for r in item.spec.rules for p in r.http.paths] + if paths: + assert all path in paths { + path not in invalid_paths + }, msg + item +} +# Validate All resource +items = [validate_restrict_ingress_paths(i) for i in option("items")]