Skip to content

Commit

Permalink
Add gcp sql rules for insecure ssl_mode (#3540) (#3553)
Browse files Browse the repository at this point in the history 
* Add gcp sql rules for insecure ssl_mode

* clean up message and references

---------

Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]>
Co-authored-by: Lewis <[email protected]>
  • Loading branch information
@r2c-argo @0xDC0DE @LewisArdern
3 people authored Feb 3, 2025
1 parent 32750f0 commit 7b4b6c5
Show file tree
Hide file tree
Showing 7 changed files with 670 additions and 1 deletion.
3 changes: 2 additions & 1 deletion terraform/gcp/security/gcp-sql-database-require-ssl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,8 @@ rules:
- terraform
- gcp
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration"
- "https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
subcategory:
- vuln
likelihood: LOW
Expand Down
138 changes: 138 additions & 0 deletions terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.fixed.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
resource "google_sql_database_instance" "fail" {
database_version = "MYSQL_8_0"
name = "instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
}
}

# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
resource "google_sql_database_instance" "success" {
database_version = "MYSQL_8_0"
name = "instance"
region = "us-central1"
ip_configuration {
ipv4_enabled = true
require_ssl = true
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "mysql_fail" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "mysql_success" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "sqlserver_fail" {
database_version = "SQLSERVER_2019_STANDARD"
name = "sqlserver-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
}
}
}

resource "google_sql_database_instance" "sqlserver_success" {
database_version = "SQLSERVER_2019_STANDARD"
name = "sqlserver-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ENCRYPTED_ONLY"
}
}
}

resource "google_sql_database_instance" "mysql_success_with_ssl_mode" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

138 changes: 138 additions & 0 deletions terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
resource "google_sql_database_instance" "fail" {
database_version = "MYSQL_8_0"
name = "instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
}
}

# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
resource "google_sql_database_instance" "success" {
database_version = "MYSQL_8_0"
name = "instance"
region = "us-central1"
ip_configuration {
ipv4_enabled = true
require_ssl = true
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ENCRYPTED_ONLY"
}
}
}

resource "google_sql_database_instance" "main" {
name = "some-example-name"
database_version = "POSTGRES_15"
region = "europe-west3"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
}
}
}

resource "google_sql_database_instance" "mysql_fail" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ENCRYPTED_ONLY"
}
}
}

resource "google_sql_database_instance" "mysql_success" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ENCRYPTED_ONLY"
}
}
}

resource "google_sql_database_instance" "sqlserver_fail" {
database_version = "SQLSERVER_2019_STANDARD"
name = "sqlserver-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"
}
}
}

resource "google_sql_database_instance" "sqlserver_success" {
database_version = "SQLSERVER_2019_STANDARD"
name = "sqlserver-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "ENCRYPTED_ONLY"
}
}
}

resource "google_sql_database_instance" "mysql_success_with_ssl_mode" {
database_version = "MYSQL_8_0"
name = "mysql-instance"
region = "us-central1"
settings {
tier = "db-f1-micro"
ip_configuration {
# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}

58 changes: 58 additions & 0 deletions terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
rules:
- id: gcp-sql-database-ssl-insecure-value-postgres-mysql
patterns:
- pattern-inside: |
resource "google_sql_database_instance" "..." {
...
database_version = "$DB"
...
}
- pattern-inside: |
resource "google_sql_database_instance" "..." {
...
ip_configuration {
...
ssl_mode = $VALUE
...
}
...
}
- pattern-not-inside: |
resource "google_sql_database_instance" "..." {
...
ip_configuration {
...
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
...
}
...
}
- metavariable-regex:
metavariable: $DB
regex: .*(MYSQL|POSTGRES).*
- focus-metavariable: $VALUE
fix: |
"TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
message: >-
Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode="TRUSTED_CLIENT_CERTIFICATE_REQUIRED"`.
metadata:
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- 'CWE-326: Inadequate Encryption Strength'
category: security
technology:
- terraform
- gcp
references:
- "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration"
- "https://owasp.org/Top10/A02_2021-Cryptographic_Failures"
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
languages: [hcl]
severity: WARNING

Loading

0 comments on commit 7b4b6c5

Please sign in to comment.