Query "Curl or Wget Instead of Add" wrongly detects some filenames as urls #5699

malte-laukoetter · 2022-08-15T20:36:20Z

File names like "httpd-foreground" or "./drop-http-proxy-header.conf" are not detected as URLs.

The following ADD statements are wrongly detected as smelly by this query:

ADD ./drop-http-proxy-header.conf /etc/apache2/conf-available

ADD httpd-foreground /usr/local/bin/

The query seems only to check if the sequence "http" or "https" can be found anywhere in the ADD statement not if it is actually an URL. It might be better to check if it also includes :// directly afterward. (see https://github.com/Checkmarx/kics/blob/master/assets/queries/dockerfile/curl_or_wget_instead_of_add/query.rego#L18)

The text was updated successfully, but these errors were encountered:

cxMiguelSilva · 2022-08-17T08:28:36Z

Hi @Lergin, I hope you are doing Great!!
I am happy to tell you that there is already a PR to improve the RegEx rule in this Security Query.

malte-laukoetter added bug Something isn't working community Community contribution labels Aug 15, 2022

cxMiguelSilva mentioned this issue Aug 17, 2022

fix(query): improve RegEx rule in curl_or_wget_instead_of_add #5706

Merged

rafaela-soares closed this as completed in #5706 Aug 17, 2022

Provide feedback