fix(query): openapi pattern undefined fp enum and format sanitizers (#…

…7323) * OpenAPI general query pattern_undefined updated to also consider format and enum as sanitizers * Update so that format is only considered a sanitizer when it's value is date or date-time * Expected and acutal key values uneeded changes reverted * Comments correction * Auxiliar function renamed to a more current language * Vulnerable github.com/moby/buildkit package updated --------- Co-authored-by: Artur Ribeiro <[email protected]>
Checkmarx · Feb 4, 2025 · 4d0afd1 · 4d0afd1
1 parent 2e3a47b
commit 4d0afd1
Show file tree

Hide file tree

Showing 7 changed files with 251 additions and 4 deletions.
diff --git a/assets/queries/openAPI/general/pattern_undefined/query.rego b/assets/queries/openAPI/general/pattern_undefined/query.rego
@@ -12,6 +12,7 @@ CxPolicy[result] {
 	info := openapi_lib.is_operation(path)
 	openapi_lib.content_allowed(info.operation, info.code)
 	openapi_lib.undefined_field_in_string_type(value, "pattern")
+	checkForSecureStringFormats(value)
 
 	result := {
 		"documentId": doc.id,
@@ -32,6 +33,7 @@ CxPolicy[result] {
 	[path, value] := walk(doc)
 	openapi_lib.is_operation(path) == {}
 	openapi_lib.undefined_field_in_string_type(value, "pattern")
+	checkForSecureStringFormats(value)
 
 	result := {
 		"documentId": doc.id,
@@ -42,4 +44,16 @@ CxPolicy[result] {
 		"keyActualValue": "'pattern' is undefined",
 		"overrideKey": version,
 	}
-}
+}
+
+checkForSecureStringFormats(value) {
+	openapi_lib.undefined_field_in_string_type(value, "enum")   # enums have an implicit pattern
+	checkStringFormat(value)
+}
+
+checkStringFormat(value) {
+    openapi_lib.undefined_field_in_string_type(value, "format")
+} else {
+    value["format"] != "date"       # date and date-time formats
+    value["format"] != "date-time"  # have an implicit pattern
+}
diff --git a/assets/queries/openAPI/general/pattern_undefined/test/negative10.yaml b/assets/queries/openAPI/general/pattern_undefined/test/negative10.yaml
@@ -0,0 +1,31 @@
+swagger: "2.0"
+info:
+  title: Simple API Overview
+  version: 1.0.0
+paths:
+  "/":
+    get:
+      operationId: listVersionsv2
+      summary: List API versions
+      responses:
+        "200":
+          description: 200 response
+          schema:
+            type: object
+            discriminator: petType
+            additionalProperties: false
+            properties:
+              code:
+                type: string
+                maxLength: 15
+                enum:
+                  - brown
+                  - grey
+                  - black
+                  - white
+              message:
+                type: string
+                format: date
+              extra:
+                type: string
+                format: date-time
diff --git a/assets/queries/openAPI/general/pattern_undefined/test/negative7.json b/assets/queries/openAPI/general/pattern_undefined/test/negative7.json
@@ -0,0 +1,95 @@
+{
+  "openapi": "3.0.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "operationId": "listVersionsv2",
+        "summary": "List API versions",
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "content": {
+              "application/json": {
+                "examples": {
+                  "foo": {
+                    "value": {
+                      "versions": [
+                        {
+                          "status": "CURRENT",
+                          "updated": "2011-01-21T11:33:21Z",
+                          "id": "v2.0",
+                          "links": [
+                            {
+                              "href": "http://127.0.0.1:8774/v2/",
+                              "rel": "self"
+                            }
+                          ]
+                        }
+                      ]
+                    }
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "components": {
+    "schemas": {
+      "GeneralError": {
+        "type": "object",
+        "discriminator": {
+          "propertyName": "petType"
+        },
+        "additionalProperties": false,
+        "properties": {
+          "code": {
+            "type": "string",
+            "maxLength": 15,
+            "enum": [
+              "brown",
+              "grey",
+              "black",
+              "white"
+            ]
+          },
+          "message": {
+            "type": "string",
+            "format": "date"
+          },
+          "extra": {
+            "type": "string",
+            "format": "date-time"
+          }
+        },
+        "required": [
+          "petType"
+        ]
+      }
+    },
+    "requestBodies": {
+      "NewItem": {
+        "description": "A JSON object containing item data",
+        "required": true,
+        "content": {
+          "multipart/form-data": {
+            "schema": {
+              "$ref": "#/components/schemas/GeneralError"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/assets/queries/openAPI/general/pattern_undefined/test/negative8.yaml b/assets/queries/openAPI/general/pattern_undefined/test/negative8.yaml
@@ -0,0 +1,56 @@
+openapi: 3.0.0
+info:
+  title: Simple API Overview
+  version: 1.0.0
+paths:
+  "/":
+    get:
+      operationId: listVersionsv2
+      summary: List API versions
+      responses:
+        "200":
+          description: 200 response
+          content:
+            application/json:
+              examples:
+                foo:
+                  value:
+                    versions:
+                      - status: CURRENT
+                        updated: "2011-01-21T11:33:21Z"
+                        id: v2.0
+                        links:
+                          - href: http://127.0.0.1:8774/v2/
+                            rel: self
+components:
+  schemas:
+    GeneralError:
+      type: object
+      discriminator:
+        propertyName: petType
+      additionalProperties: false
+      properties:
+        code:
+          type: string
+          maxLength: 15
+          enum:
+            - brown
+            - grey
+            - black
+            - white
+        message:
+          type: string
+          format: date
+        extra:
+          type: string
+          format: date-time
+      required:
+        - petType
+  requestBodies:
+    NewItem:
+      description: A JSON object containing item data
+      required: true
+      content:
+        multipart/form-data:
+          schema:
+            $ref: "#/components/schemas/GeneralError"
diff --git a/assets/queries/openAPI/general/pattern_undefined/test/negative9.json b/assets/queries/openAPI/general/pattern_undefined/test/negative9.json
@@ -0,0 +1,51 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Simple API Overview",
+    "version": "1.0.0",
+    "contact": {
+      "name": "contact",
+      "url": "https://www.google.com/",
+      "email": "[email protected]"
+    }
+  },
+  "paths": {
+    "/": {
+      "get": {
+        "responses": {
+          "200": {
+            "description": "200 response",
+            "schema": {
+              "discriminator": "petType",
+              "additionalProperties": false,
+              "properties": {
+                "code": {
+                  "type": "string",
+                  "maxLength": 15,
+                  "enum": [
+                    "brown",
+                    "grey",
+                    "black",
+                    "white"
+                  ]
+                },
+                "message": {
+                  "type": "string",
+                  "format": "date"
+                },
+                "extra": {
+                  "type": "string",
+                  "format": "date-time"
+                }
+              },
+              "required": [
+                "petType"
+              ],
+              "type": "object"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/hashicorp/terraform-json v0.22.1
 	github.com/johnfercher/maroto v1.0.0
 	github.com/mackerelio/go-osstat v0.2.5
-	github.com/moby/buildkit v0.18.1-0.20250114211737-dd069229019d
+	github.com/moby/buildkit v0.19.0
 	github.com/open-policy-agent/opa v0.68.0
 	github.com/pkg/errors v0.9.1
 	github.com/relex/aini v1.6.0

diff --git a/go.sum b/go.sum
@@ -677,8 +677,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.18.1-0.20250114211737-dd069229019d h1:jSMnqy0Ce8R3g9M63eafNJ7XljfEdY9yQU944td+0G0=
-github.com/moby/buildkit v0.18.1-0.20250114211737-dd069229019d/go.mod h1:4WYJLet/NI2p1o2rPQ6CIFpyyyvwvPz/TVISmwqqpHI=
+github.com/moby/buildkit v0.19.0 h1:w9G1p7sArvCGNkpWstAqJfRQTXBKukMyMK1bsah1HNo=
+github.com/moby/buildkit v0.19.0/go.mod h1:WiHBFTgWV8eB1AmPxIWsAlKjUACAwm3X/14xOV4VWew=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=