From 1c48fd8c132ffce73a7b97414175fc9ed51d0d53 Mon Sep 17 00:00:00 2001
From: Amit Schendel <amitschendel@gmail.com>
Date: Thu, 14 Sep 2023 11:46:18 +0300
Subject: [PATCH] Adding CVE-2023-3676 check

Signed-off-by: Amit Schendel <amitschendel@gmail.com>
---
 rules/CVE-2023-3676/raw.rego                | 15 +++++++++++++
 rules/CVE-2023-3676/rule.metadata.json      | 25 +++++++++++++++++++++
 rules/CVE-2023-3676/test/pod/input/pod.yaml | 23 +++++++++++++++++++
 3 files changed, 63 insertions(+)
 create mode 100644 rules/CVE-2023-3676/raw.rego
 create mode 100644 rules/CVE-2023-3676/rule.metadata.json
 create mode 100644 rules/CVE-2023-3676/test/pod/input/pod.yaml

diff --git a/rules/CVE-2023-3676/raw.rego b/rules/CVE-2023-3676/raw.rego
new file mode 100644
index 000000000..ce48f2be9
--- /dev/null
+++ b/rules/CVE-2023-3676/raw.rego
@@ -0,0 +1,15 @@
+package armo_builtins
+
+deny[msg] {                                                                 
+    input.request.kind.kind == "Pod"
+    path := input.request.object.spec.containers.volumeMounts.subPath                 
+    not startswith(path, "$(")                                     
+    msga := {
+			"alertMessage": "You may be vulnerable to CVE-2023-3676",
+			"failedPaths": [path],
+			"fixPaths":[],
+			"alertObject": { 
+                "k8SApiObjects": [input[_]],
+            },
+		}     
+}
\ No newline at end of file
diff --git a/rules/CVE-2023-3676/rule.metadata.json b/rules/CVE-2023-3676/rule.metadata.json
new file mode 100644
index 000000000..d4efa262d
--- /dev/null
+++ b/rules/CVE-2023-3676/rule.metadata.json
@@ -0,0 +1,25 @@
+{
+    "name": "CVE-2023-3676",
+    "attributes": {
+      "armoBuiltin": true
+    },
+    "ruleLanguage": "Rego",
+    "match": [
+      {
+        "apiGroups": [
+          "apps"
+        ],
+        "apiVersions": [
+          "v1"
+        ],
+        "resources": [
+          "Pod"
+        ]
+      }
+    ],
+    "ruleDependencies": [
+    ],
+    "description": "Check for CVE-2023-3676",
+    "remediation": "Update kubelet version",
+    "ruleQuery": "armo_builtins"
+}
\ No newline at end of file
diff --git a/rules/CVE-2023-3676/test/pod/input/pod.yaml b/rules/CVE-2023-3676/test/pod/input/pod.yaml
new file mode 100644
index 000000000..d5d93c2d1
--- /dev/null
+++ b/rules/CVE-2023-3676/test/pod/input/pod.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: wintest
+spec:
+  containers:
+  - name: test
+    image: raesene/windows-powertools
+    command:
+    - powershell.exe
+    - -command
+    - "start-sleep -seconds 600"
+    volumeMounts:
+    - name: test
+      mountPath: c:\var
+      subPath: $(Start-process cmd)
+  volumes:
+  - name: test
+    hostPath:
+      path: c:\var
+  hostNetwork: true
+  nodeSelector:
+    kubernetes.io/os: windows
\ No newline at end of file