search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.86k stars 1.1k forks source link

CKV2_ANSIBLE_2 false positive when variable is used #6556

Closed amedee closed 1 month ago

amedee commented 2 months ago

Describe the issue CKV2_ANSIBLE_2 gives a false positive when an https url is inside a variable.

Examples Task:

- name: Check if WP-CLI is already installed
  ansible.builtin.stat:
    path: "{{ blog_wpcli_path }}"
  register: wpcli

- name: Download WP-CLI
  when: not wpcli.stat.exists
  become: true
  ansible.builtin.get_url:
    url: "{{ blog_wpcli_url }}"
    dest: "{{ blog_wpcli_path }}"
    owner: root
    mode: u=rwx,go=rx

In vars/main.yml:

---
blog_wpcli_path: /usr/local/bin/wp
blog_wpcli_url: https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

Expected outcome:

Actual outcome:

Version (please complete the following information):

tsmithv11 commented 1 month ago

@amedee we don't yet support variable rendering in Ansible, so until then, I switched the policy to flag the use of http and ftp since URL protocol prefixes are required, the effect should be the same.

amedee commented 1 month ago

Do you mean I put the "https://" prefix hard coded and the rest of the URL in a variable? Kludgy, but I see how that could work. Thanks for the reply.

tsmithv11 commented 1 month ago

@amedee not quite - we don't want you to have to change your coding behavior for a security check.

Once that PR is merged, instead of checking that url does start with https://, we'll instead check that id doesn't start with http:// or ftp://. Since we don't do variable rendering yet, we'll see the url value as literally "{{ blog_wpcli_url }}" which doesn't start with http:// or ftp:// so it will pass.

amedee commented 1 month ago

Oh ok I see. Yes that makes more sense.