From 8eb189aedb483941872ee717492d37fa0730297f Mon Sep 17 00:00:00 2001 From: EduardoSemanas Date: Mon, 3 Feb 2025 11:50:38 +0000 Subject: [PATCH 1/2] OpenAPI maximum_length_undefined query updated with new sanitizers and corresponding negative UTs --- .../maximum_length_undefined/query.rego | 14 +++ .../test/negative10.yaml | 55 +++++++++++ .../test/negative11.json | 50 ++++++++++ .../test/negative12.yaml | 32 +++++++ .../test/negative9.json | 94 +++++++++++++++++++ 5 files changed, 245 insertions(+) create mode 100644 assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml create mode 100644 assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json create mode 100644 assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml create mode 100644 assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json diff --git a/assets/queries/openAPI/general/maximum_length_undefined/query.rego b/assets/queries/openAPI/general/maximum_length_undefined/query.rego index ae9829d88ca..a8016f837f3 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/query.rego +++ b/assets/queries/openAPI/general/maximum_length_undefined/query.rego @@ -12,6 +12,7 @@ CxPolicy[result] { info := openapi_lib.is_operation(path) openapi_lib.content_allowed(info.operation, info.code) openapi_lib.undefined_field_in_string_type(value, "maxLength") + checkForSanitizers(value) not limited_regex(value) result := { @@ -33,6 +34,7 @@ CxPolicy[result] { [path, value] := walk(doc) openapi_lib.is_operation(path) == {} openapi_lib.undefined_field_in_string_type(value, "maxLength") + checkForSanitizers(value) not limited_regex(value) result := { @@ -51,3 +53,15 @@ limited_regex(value){ not contains(value.pattern, "*") not regex.match("[^\\\\]{\\d+,}", value.pattern) } + +checkForSanitizers(value) { + openapi_lib.undefined_field_in_string_type(value, "enum") # enums have the maxLength implicit + checkStringFormat(value) +} + +checkStringFormat(value) { + openapi_lib.undefined_field_in_string_type(value, "format") +} else { + value["format"] != "date" # date and date-time formats + value["format"] != "date-time" # have the maxLength implicit +} diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml b/assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml new file mode 100644 index 00000000000..01b996c405e --- /dev/null +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml @@ -0,0 +1,55 @@ +openapi: 3.0.0 +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + content: + application/json: + examples: + foo: + value: + versions: + - status: CURRENT + updated: "2011-01-21T11:33:21Z" + id: v2.0 + links: + - href: http://127.0.0.1:8774/v2/ + rel: self +components: + schemas: + GeneralError: + type: object + discriminator: + propertyName: petType + additionalProperties: false + properties: + code: + type: string + enum: + - brown + - grey + - black + - white + message: + type: string + format: date + extra: + type: string + format: date-time + required: + - petType + requestBodies: + NewItem: + description: A JSON object containing item data + required: true + content: + multipart/form-data: + schema: + $ref: "#/components/schemas/GeneralError" diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json new file mode 100644 index 00000000000..b8c095529f5 --- /dev/null +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json @@ -0,0 +1,50 @@ +{ + "swagger": "2.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "responses": { + "200": { + "description": "200 response", + "schema": { + "discriminator": "petType", + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "enum": [ + "brown", + "grey", + "black", + "white" + ] + }, + "message": { + "type": "string", + "format": "date" + }, + "extra": { + "type": "string", + "format": "date-time" + } + }, + "required": [ + "petType" + ], + "type": "object" + } + } + } + } + } + } +} diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml b/assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml new file mode 100644 index 00000000000..aa969f2951e --- /dev/null +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml @@ -0,0 +1,32 @@ +swagger: "2.0" +info: + title: Simple API Overview + version: 1.0.0 +paths: + "/": + get: + operationId: listVersionsv2 + summary: List API versions + responses: + "200": + description: 200 response + schema: + type: object + discriminator: petType + additionalProperties: false + properties: + code: + type: string + enum: + - brown + - grey + - black + - white + message: + type: string + format: date + extra: + type: string + format: date-time + required: + - petType diff --git a/assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json b/assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json new file mode 100644 index 00000000000..01d54f489a8 --- /dev/null +++ b/assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json @@ -0,0 +1,94 @@ +{ + "openapi": "3.0.0", + "info": { + "title": "Simple API Overview", + "version": "1.0.0", + "contact": { + "name": "contact", + "url": "https://www.google.com/", + "email": "user@gmail.com" + } + }, + "paths": { + "/": { + "get": { + "operationId": "listVersionsv2", + "summary": "List API versions", + "responses": { + "200": { + "description": "200 response", + "content": { + "application/json": { + "examples": { + "foo": { + "value": { + "versions": [ + { + "status": "CURRENT", + "updated": "2011-01-21T11:33:21Z", + "id": "v2.0", + "links": [ + { + "href": "http://127.0.0.1:8774/v2/", + "rel": "self" + } + ] + } + ] + } + } + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "GeneralError": { + "type": "object", + "discriminator": { + "propertyName": "petType" + }, + "additionalProperties": false, + "properties": { + "code": { + "type": "string", + "enum": [ + "brown", + "grey", + "black", + "white" + ] + }, + "message": { + "type": "string", + "format": "date" + }, + "extra": { + "type": "string", + "format": "date-time" + } + }, + "required": [ + "petType" + ] + } + }, + "requestBodies": { + "NewItem": { + "description": "A JSON object containing item data", + "required": true, + "content": { + "multipart/form-data": { + "schema": { + "$ref": "#/components/schemas/GeneralError" + } + } + } + } + } + } +} From 1417b07670886391542e675a04c95f647c39af67 Mon Sep 17 00:00:00 2001 From: EduardoSemanas Date: Mon, 3 Feb 2025 15:30:58 +0000 Subject: [PATCH 2/2] Auxiliar function renamed to a more current language --- .../openAPI/general/maximum_length_undefined/query.rego | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/openAPI/general/maximum_length_undefined/query.rego b/assets/queries/openAPI/general/maximum_length_undefined/query.rego index a8016f837f3..9b64f246e3a 100644 --- a/assets/queries/openAPI/general/maximum_length_undefined/query.rego +++ b/assets/queries/openAPI/general/maximum_length_undefined/query.rego @@ -12,7 +12,7 @@ CxPolicy[result] { info := openapi_lib.is_operation(path) openapi_lib.content_allowed(info.operation, info.code) openapi_lib.undefined_field_in_string_type(value, "maxLength") - checkForSanitizers(value) + checkForSecureStringFormats(value) not limited_regex(value) result := { @@ -34,7 +34,7 @@ CxPolicy[result] { [path, value] := walk(doc) openapi_lib.is_operation(path) == {} openapi_lib.undefined_field_in_string_type(value, "maxLength") - checkForSanitizers(value) + checkForSecureStringFormats(value) not limited_regex(value) result := { @@ -54,7 +54,7 @@ limited_regex(value){ not regex.match("[^\\\\]{\\d+,}", value.pattern) } -checkForSanitizers(value) { +checkForSecureStringFormats(value) { openapi_lib.undefined_field_in_string_type(value, "enum") # enums have the maxLength implicit checkStringFormat(value) }