From d1f8c793112e282c883bd74994b60ec7cef1c0a1 Mon Sep 17 00:00:00 2001 From: Maya-legit Date: Sun, 22 Sep 2024 13:51:44 +0300 Subject: [PATCH 1/2] feat: adding override-variables policy --- e2e/gitlab.go | 5 +++++ policies/gitlab/repository.rego | 19 +++++++++++++++++++ test/repository_test.go | 17 +++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/e2e/gitlab.go b/e2e/gitlab.go index 140bbcd5..a0238ceb 100644 --- a/e2e/gitlab.go +++ b/e2e/gitlab.go @@ -69,4 +69,9 @@ var testCasesGitLab = []testCase{ path: "data.member.two_factor_authentication_is_disabled_for_an_external_collaborator", skippedEntity: "legitify-test", }, + { + path: "data.repository.overriding_defined_variables_isnt_restricted", + failedEntity: "failed_repo", + passedEntity: "passed_repo", + }, } diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego index 6b6aa5ab..f34a2c8f 100644 --- a/policies/gitlab/repository.rego +++ b/policies/gitlab/repository.rego @@ -344,3 +344,22 @@ default repository_dismiss_stale_reviews := true repository_dismiss_stale_reviews := false { input.approval_configuration.reset_approvals_on_push } + +# METADATA +# scope: rule +# title: The ability to override predefined variables should be limited only to users with at least Maintainer role. +# description: It’s recommended to restrict users with low privileges from overriding predefined variables, as doing so could compromise the security and integrity of the CI/CD pipeline. +# custom: +# remediationSteps: +# - 1. Make sure you have owner or maintainer permissions +# - 2. The remediation is available through the project's API (e.g., 'https://gitlab.com/api/v4/projects/') +# - 3. Set the 'restrict_user_defined_variables' attribute to TRUE (this attribute is FALSE by default) +# - 4. When 'restrict_user_defined_variables' is enabled, you can specify which role can override variables. This is done by setting the 'ci_pipeline_variables_minimum_override_role' attribute to one of: owner, maintainer, developer or no_one_allowed. +# - 5. For more information, you can check out gitlab's API documentation: https://docs.gitlab.com/ee/api/projects.html +# severity: MEDIUM +# threat: Predefined variables often contain sensitive information (like credentials, tokens, or environment settings), and allowing overrides may lead to accidental misconfiguration or intentional tampering. +default overriding_defined_variables_isnt_restricted := true + +overriding_defined_variables_isnt_restricted := false { + input.restrict_user_defined_variables +} \ No newline at end of file diff --git a/test/repository_test.go b/test/repository_test.go index 2c239349..67bea8f4 100644 --- a/test/repository_test.go +++ b/test/repository_test.go @@ -751,3 +751,20 @@ func TestGitlabRepositoryDismissStaleReviews(t *testing.T) { repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab) } } + +func TestGitlabRepositoryRestrictsOverrideVariables(t *testing.T) { + name := "Restrict Override Of Defined Variables" + testedPolicyName := "overriding_defined_variables_isnt_restricted" + + makeMockData := func(flag bool) gitlabcollected.Repository { + return gitlabcollected.Repository{Project: &gitlab2.Project{RestrictUserDefinedVariables: flag}} + } + options := map[bool]bool{ + false: true, + true: false, + } + for _, expectFailure := range bools { + flag := options[expectFailure] + repositoryTestTemplate(t, name, makeMockData(flag), testedPolicyName, expectFailure, scm_type.GitLab) + } +} From 3bffabbaa9678ccbf4569d7fce78c01ecdb84f6e Mon Sep 17 00:00:00 2001 From: Maya-legit Date: Sun, 22 Sep 2024 15:44:55 +0300 Subject: [PATCH 2/2] fix severity and threat --- policies/gitlab/repository.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/gitlab/repository.rego b/policies/gitlab/repository.rego index f34a2c8f..1087c007 100644 --- a/policies/gitlab/repository.rego +++ b/policies/gitlab/repository.rego @@ -356,8 +356,8 @@ repository_dismiss_stale_reviews := false { # - 3. Set the 'restrict_user_defined_variables' attribute to TRUE (this attribute is FALSE by default) # - 4. When 'restrict_user_defined_variables' is enabled, you can specify which role can override variables. This is done by setting the 'ci_pipeline_variables_minimum_override_role' attribute to one of: owner, maintainer, developer or no_one_allowed. # - 5. For more information, you can check out gitlab's API documentation: https://docs.gitlab.com/ee/api/projects.html -# severity: MEDIUM -# threat: Predefined variables often contain sensitive information (like credentials, tokens, or environment settings), and allowing overrides may lead to accidental misconfiguration or intentional tampering. +# severity: LOW +# threat: Allowing overrides of predefined variables can result in unintentional misconfigurations of the CI/CD pipeline or deliberate tampering. default overriding_defined_variables_isnt_restricted := true overriding_defined_variables_isnt_restricted := false {