diff --git a/checks/cloud/azure/network/no_public_ingress_test.go b/checks/cloud/azure/network/no_public_ingress_test.go index 72c206cb..dbbe0e0c 100644 --- a/checks/cloud/azure/network/no_public_ingress_test.go +++ b/checks/cloud/azure/network/no_public_ingress_test.go @@ -20,7 +20,7 @@ func TestCheckNoPublicIngress(t *testing.T) { expected bool }{ { - name: "Security group inbound rule with wildcard source address", + name: "Security group inbound rule with asterisk wildcard source address", input: network.Network{ SecurityGroups: []network.SecurityGroup{ { @@ -40,6 +40,48 @@ func TestCheckNoPublicIngress(t *testing.T) { }, expected: true, }, + { + name: "Security group inbound rule with lower case internet wildcard source address", + input: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("internet", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }, + expected: true, + }, + { + name: "Security group inbound rule with upper case internet wildcard source address", + input: network.Network{ + SecurityGroups: []network.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + Rules: []network.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + Allow: trivyTypes.Bool(true, trivyTypes.NewTestMetadata()), + Outbound: trivyTypes.Bool(false, trivyTypes.NewTestMetadata()), + SourceAddresses: []trivyTypes.StringValue{ + trivyTypes.String("Internet", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }, + expected: true, + }, { name: "Security group inbound rule with private source address", input: network.Network{ diff --git a/internal/cidr/cidr.go b/internal/cidr/cidr.go index 56c442ef..4687f661 100755 --- a/internal/cidr/cidr.go +++ b/internal/cidr/cidr.go @@ -42,7 +42,7 @@ func isPrivate(ip net.IP) bool { // overflows an unsigned 64-bit int, the maximum value of an unsigned 64-bit int will be // returned. func CountAddresses(inputCIDR string) uint64 { - if inputCIDR == "*" || inputCIDR == "internet" || inputCIDR == "any" { + if inputCIDR == "*" || strings.EqualFold(inputCIDR, "internet") || strings.EqualFold(inputCIDR, "any") { return 0xffffffffffffffff } if !strings.Contains(inputCIDR, "/") { @@ -67,9 +67,8 @@ func CountAddresses(inputCIDR string) uint64 { // IsPublic returns true if a provided IP is outside of the designated public ranges, or // true if either of the min/max addresses of a provided CIDR are outside of these ranges. func IsPublic(cidr string) bool { - // some providers use wildcards etc. instead of "0.0.0.0/0" :/ - if cidr == "*" || cidr == "internet" || cidr == "any" { + if cidr == "*" || strings.EqualFold(cidr, "internet") || strings.EqualFold(cidr, "any") { return true } diff --git a/internal/cidr/cidr_test.go b/internal/cidr/cidr_test.go index 783dfe62..6d41bf18 100755 --- a/internal/cidr/cidr_test.go +++ b/internal/cidr/cidr_test.go @@ -98,6 +98,22 @@ func TestPublicDetection(t *testing.T) { input: "nonsense", public: false, }, + { + input: "internet", + public: true, + }, + { + input: "Internet", + public: true, + }, + { + input: "any", + public: true, + }, + { + input: "Any", + public: true, + }, } for _, test := range tests { @@ -129,6 +145,22 @@ func TestCountCIDRAddresses(t *testing.T) { cidr: "::0/0", expected: math.MaxUint64, }, + { + cidr: "internet", + expected: math.MaxUint64, + }, + { + cidr: "Internet", + expected: math.MaxUint64, + }, + { + cidr: "any", + expected: math.MaxUint64, + }, + { + cidr: "Any", + expected: math.MaxUint64, + }, } for _, test := range tests { t.Run(