feat: adding override-variables policy (#334)

* feat: adding override-variables policy * fix severity and threat
Legit-Labs · Sep 22, 2024 · 0d07d93 · 0d07d93
1 parent 0cea8da
commit 0d07d93
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/e2e/gitlab.go b/e2e/gitlab.go
@@ -69,4 +69,9 @@ var testCasesGitLab = []testCase{
 		path:          "data.member.two_factor_authentication_is_disabled_for_an_external_collaborator",
 		skippedEntity: "legitify-test",
 	},
+	{
+		path:         "data.repository.overriding_defined_variables_isnt_restricted",
+		failedEntity: "failed_repo",
+		passedEntity: "passed_repo",
+	},
 }
diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego
@@ -344,3 +344,22 @@ default repository_dismiss_stale_reviews := true
 repository_dismiss_stale_reviews := false {
 	input.approval_configuration.reset_approvals_on_push
 }
+
+# METADATA
+# scope: rule
+# title: The ability to override predefined variables should be limited only to users with at least Maintainer role.
+# description: It’s recommended to restrict users with low privileges from overriding predefined variables, as doing so could compromise the security and integrity of the CI/CD pipeline.
+# custom:
+#   remediationSteps:
+#     - 1. Make sure you have owner or maintainer permissions
+#     - 2. The remediation is available through the project's API (e.g., 'https://gitlab.com/api/v4/projects/<your-project-ID>')
+#     - 3. Set the 'restrict_user_defined_variables' attribute to TRUE (this attribute is FALSE by default)
+#     - 4. When 'restrict_user_defined_variables' is enabled, you can specify which role can override variables. This is done by setting the 'ci_pipeline_variables_minimum_override_role' attribute to one of: owner, maintainer, developer or no_one_allowed.
+#     - 5. For more information, you can check out gitlab's API documentation: https://docs.gitlab.com/ee/api/projects.html
+#   severity: LOW
+#   threat: Allowing overrides of predefined variables can result in unintentional misconfigurations of the CI/CD pipeline or deliberate tampering.
+default overriding_defined_variables_isnt_restricted := true
+
+overriding_defined_variables_isnt_restricted := false {
+	input.restrict_user_defined_variables
+}
diff --git a/test/repository_test.go b/test/repository_test.go
@@ -751,3 +751,20 @@ func TestGitlabRepositoryDismissStaleReviews(t *testing.T) {
 		repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab)
 	}
 }
+
+func TestGitlabRepositoryRestrictsOverrideVariables(t *testing.T) {
+	name := "Restrict Override Of Defined Variables"
+	testedPolicyName := "overriding_defined_variables_isnt_restricted"
+
+	makeMockData := func(flag bool) gitlabcollected.Repository {
+		return gitlabcollected.Repository{Project: &gitlab2.Project{RestrictUserDefinedVariables: flag}}
+	}
+	options := map[bool]bool{
+		false: true,
+		true:  false,
+	}
+	for _, expectFailure := range bools {
+		flag := options[expectFailure]
+		repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab)
+	}
+}