Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix a bug in which IaC resource paths (more context below) was naively split by dot, without distinguishing between separator dots and dots inside string literals. For example: "foo.bar.baz" was split into 3 words correctly, but "metadata.annotations['container.apparmor.security.beta.kubernetes.io/web']" was not. The "path" / "cloud config path" is a sort of address used to identify locations in files where vulnerabilities reside. It is very similar to a jsonpath. The user receives it as an array of components, which in the future can be useful for building tooling around, e.g. the upcoming CLI ignores. The code that evaluates policies against source files is also responsible for returning a representation of this path, which it does as a dot-separated string.
- Loading branch information
Craig Furman
committed
Jul 29, 2021
1 parent
d8d41a4
commit 8566273
Showing
4 changed files
with
57 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import * as peg from 'pegjs'; | ||
|
||
const grammar = ` | ||
start | ||
= element+ | ||
element | ||
= component:component "."? { return component; } | ||
component | ||
= $(identifier index?) | ||
identifier | ||
= $([^'"\\[\\]\\.]+) | ||
index | ||
= $("[" ['"]? [^'"\\]]+ ['"]? "]") | ||
`; | ||
|
||
export const parsePath = createPathParser(); | ||
|
||
function createPathParser(): (expr: string) => string[] { | ||
const parser = peg.generate(grammar); | ||
return (expr: string) => { | ||
try { | ||
return parser.parse(expr); | ||
} catch (e) { | ||
// I haven't actually been able to write a testcase that triggers this | ||
// code path, but I've included it anyway as a fallback to allow users to | ||
// keep using the CLI even if this does occur. Their paths might look | ||
// strange, but that's better than nothing. | ||
return expr.split('.'); | ||
} | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
import { parsePath } from '../../../../src/cli/commands/test/iac-local-execution/parsers/path'; | ||
|
||
describe('parsing cloudConfigPath', () => { | ||
it.each([ | ||
['foo', ['foo']], | ||
['foo.bar.baz', ['foo', 'bar', 'baz']], | ||
['foo_1._bar2.baz3_', ['foo_1', '_bar2', 'baz3_']], | ||
['foo.bar[abc].baz', ['foo', 'bar[abc]', 'baz']], | ||
['foo.bar[abc.def].baz', ['foo', 'bar[abc.def]', 'baz']], | ||
["foo.bar['abc.def'].baz", ['foo', "bar['abc.def']", 'baz']], | ||
['foo.bar["abc.def"].baz', ['foo', 'bar["abc.def"]', 'baz']], | ||
["foo.bar['abc/def'].baz", ['foo', "bar['abc/def']", 'baz']], | ||
["foo.bar['abcdef'].baz", ['foo', "bar['abcdef']", 'baz']], | ||
["bar['abc.def']", ["bar['abc.def']"]], | ||
["fo%o.bar['ab$c/def'].baz", ['fo%o', "bar['ab$c/def']", 'baz']], | ||
])('%s', (input, expected) => { | ||
expect(parsePath(input)).toEqual(expected); | ||
}); | ||
}); |