add validation logic for policy config paths

tenable · Mar 2, 2021 · 81e9b7f · 81e9b7f
1 parent 46570ca
commit 81e9b7f
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/pkg/config/global.go b/pkg/config/global.go
@@ -17,7 +17,6 @@
 package config
 
 import (
-	"os"
 	"path/filepath"
 
 	"github.com/accurics/terrascan/pkg/utils"

diff --git a/pkg/initialize/run.go b/pkg/initialize/run.go
@@ -20,26 +20,53 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"strings"
 
 	"github.com/accurics/terrascan/pkg/config"
+	"github.com/accurics/terrascan/pkg/utils"
+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	"gopkg.in/src-d/go-git.v4"
 	gitConfig "gopkg.in/src-d/go-git.v4/config"
 	"gopkg.in/src-d/go-git.v4/plumbing"
 )
 
+func validatePolicyConfigPaths(basePath, basePolicyPath string) error {
+	absoluteBasePath, err := utils.GetAbsPath(basePath)
+	if err != nil {
+		return errors.Errorf("invalid basePath %s, error : %v", basePath, err)
+	}
+
+	absoluteBasePolicyPath, err := utils.GetAbsPath(basePolicyPath)
+	if err != nil {
+		return errors.Errorf("invalid basePolicyPath %s, error : %v", basePolicyPath, err)
+	}
+
+	if !strings.HasPrefix(absoluteBasePolicyPath, absoluteBasePath) {
+		return errors.Errorf("policy path (%s) does not fall under base repo path's (%s) directory structure", absoluteBasePolicyPath, absoluteBasePath)
+	}
+
+	return nil
+}
+
 // Run initializes terrascan if not done already
 func Run(isScanCmd bool) error {
 	zap.S().Debug("initializing terrascan")
 
+	basePath := config.GetPolicyBasePath()
 	basePolicyPath := config.GetPolicyRepoPath()
 
+	if err := validatePolicyConfigPaths(basePath, basePolicyPath); err != nil {
+		return err
+	}
+
 	// check if policy paths exist
 	if path, err := os.Stat(basePolicyPath); err == nil && path.IsDir() {
 		if isScanCmd {
 			return nil
 		}
 	}
+
 	// download policies
 	if err := DownloadPolicies(); err != nil {
 		return err
@@ -51,7 +78,9 @@ func Run(isScanCmd bool) error {
 
 // DownloadPolicies clones the policies to a local folder
 func DownloadPolicies() error {
+
 	basePath := config.GetPolicyBasePath()
+	basePolicyPath := config.GetPolicyRepoPath()
 	repoURL := config.GetPolicyRepoURL()
 	branch := config.GetPolicyBranch()
 
@@ -70,6 +99,7 @@ func DownloadPolicies() error {
 	r, err := git.PlainClone(tempPath, false, &git.CloneOptions{
 		URL: repoURL,
 	})
+
 	if err != nil {
 		return fmt.Errorf("failed to download policies. error: '%v'", err)
 	}
@@ -102,6 +132,9 @@ func DownloadPolicies() error {
 		return fmt.Errorf("failed to clean up the directory '%s'. error: '%v'", basePath, err)
 	}
 
+	zap.S().Debugf("base directory path : %s", basePath)
+	zap.S().Debugf("policy directory path : %s", basePolicyPath)
+
 	// move the freshly cloned repo from tempPath to basePath
 	if err = os.Rename(tempPath, basePath); err != nil {
 		return fmt.Errorf("failed to install policies to '%s'. error: '%v'", basePath, err)