fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/adapters/arm/network/adapt.go

@@ -1,14 +1,16 @@
 package network
 
 import (
-	"strconv"
-	"strings"
-
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/common"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/network"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/azure"
 	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
 )
 
+func parsePortRange(input string, meta iacTypes.Metadata) common.PortRange {
+	return common.ParsePortRange(input, meta, common.WithWildcard())
+}
+
 func Adapt(deployment azure.Deployment) network.Network {
 	return network.Network{
 		SecurityGroups:         adaptSecurityGroups(deployment),
@@ -42,20 +44,30 @@ func adaptSecurityGroupRule(resource azure.Resource) network.SecurityGroupRule {
 	sourceAddressPrefixes := resource.Properties.GetMapValue("sourceAddressPrefixes").AsStringValuesList("")
 	sourceAddressPrefixes = append(sourceAddressPrefixes, resource.Properties.GetMapValue("sourceAddressPrefix").AsStringValue("", resource.Metadata))
 
-	var sourcePortRanges []network.PortRange
+	var sourcePortRanges []common.PortRange
 	for _, portRange := range resource.Properties.GetMapValue("sourcePortRanges").AsList() {
-		sourcePortRanges = append(sourcePortRanges, expandRange(portRange.AsString(), resource.Metadata))
+		rng := parsePortRange(portRange.AsString(), resource.Metadata)
+		if rng.Valid() {
+			sourcePortRanges = append(sourcePortRanges, rng)
+		}
+	}
+	if rng := parsePortRange(resource.Properties.GetMapValue("sourcePortRange").AsString(), resource.Metadata); rng.Valid() {
+		sourcePortRanges = append(sourcePortRanges, rng)
 	}
-	sourcePortRanges = append(sourcePortRanges, expandRange(resource.Properties.GetMapValue("sourcePortRange").AsString(), resource.Metadata))
 
 	destinationAddressPrefixes := resource.Properties.GetMapValue("destinationAddressPrefixes").AsStringValuesList("")
 	destinationAddressPrefixes = append(destinationAddressPrefixes, resource.Properties.GetMapValue("destinationAddressPrefix").AsStringValue("", resource.Metadata))
 
-	var destinationPortRanges []network.PortRange
+	var destinationPortRanges []common.PortRange
 	for _, portRange := range resource.Properties.GetMapValue("destinationPortRanges").AsList() {
-		destinationPortRanges = append(destinationPortRanges, expandRange(portRange.AsString(), resource.Metadata))
+		rng := parsePortRange(portRange.AsString(), resource.Metadata)
+		if rng.Valid() {
+			destinationPortRanges = append(destinationPortRanges, rng)
+		}
+	}
+	if rng := parsePortRange(resource.Properties.GetMapValue("destinationPortRange").AsString(), resource.Metadata); rng.Valid() {
+		destinationPortRanges = append(destinationPortRanges, rng)
 	}
-	destinationPortRanges = append(destinationPortRanges, expandRange(resource.Properties.GetMapValue("destinationPortRange").AsString(), resource.Metadata))
 
 	allow := iacTypes.BoolDefault(false, resource.Metadata)
 	if resource.Properties.GetMapValue("access").AsString() == "Allow" {
@@ -96,31 +108,3 @@ func adaptNetworkWatcherFlowLog(resource azure.Resource) network.NetworkWatcherF
 		},
 	}
 }
-
-func expandRange(r string, m iacTypes.Metadata) network.PortRange {
-	start := 0
-	end := 65535
-	switch {
-	case r == "*":
-	case strings.Contains(r, "-"):
-		if parts := strings.Split(r, "-"); len(parts) == 2 {
-			if p1, err := strconv.ParseInt(parts[0], 10, 32); err == nil {
-				start = int(p1)
-			}
-			if p2, err := strconv.ParseInt(parts[1], 10, 32); err == nil {
-				end = int(p2)
-			}
-		}
-	default:
-		if val, err := strconv.ParseInt(r, 10, 32); err == nil {
-			start = int(val)
-			end = int(val)
-		}
-	}
-
-	return network.PortRange{
-		Metadata: m,
-		Start:    iacTypes.Int(start, m),
-		End:      iacTypes.Int(end, m),
-	}
-}

pkg/iac/adapters/arm/network/adapt_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy/pkg/iac/adapters/arm/adaptertest"
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/common"
 	"github.com/aquasecurity/trivy/pkg/iac/providers/azure/network"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -42,9 +43,7 @@ func TestAdapt(t *testing.T) {
 				SecurityGroups: []network.SecurityGroup{{
 					Rules: []network.SecurityGroupRule{{
 						DestinationAddresses: []types.StringValue{types.StringTest("")},
-						DestinationPorts:     []network.PortRange{{Start: types.IntTest(0), End: types.IntTest(65535)}},
 						SourceAddresses:      []types.StringValue{types.StringTest("")},
-						SourcePorts:          []network.PortRange{{Start: types.IntTest(0), End: types.IntTest(65535)}},
 					}},
 				}},
 			},
@@ -111,7 +110,7 @@ func TestAdapt(t *testing.T) {
 							types.StringTest("10.0.2.0/24"),
 							types.StringTest("10.0.0.0/24"),
 						},
-						SourcePorts: []network.PortRange{
+						SourcePorts: []common.PortRange{
 							{
 								Start: types.IntTest(1000),
 								End:   types.IntTest(2000),
@@ -130,7 +129,7 @@ func TestAdapt(t *testing.T) {
 							types.StringTest("172.16.2.0/24"),
 							types.StringTest("172.16.0.0/16"),
 						},
-						DestinationPorts: []network.PortRange{
+						DestinationPorts: []common.PortRange{
 							{
 								Start: types.IntTest(8080),
 								End:   types.IntTest(8080),

pkg/iac/adapters/common/network.go

@@ -0,0 +1,78 @@
+package common
+
+import (
+	"strconv"
+	"strings"
+
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+type PortRange struct {
+	Metadata iacTypes.Metadata
+	Start    iacTypes.IntValue
+	End      iacTypes.IntValue
+}
+
+func NewPortRange(start, end int, meta iacTypes.Metadata) PortRange {
+	return PortRange{
+		Metadata: meta,
+		Start:    iacTypes.Int(start, meta),
+		End:      iacTypes.Int(end, meta),
+	}
+}
+
+func FullPortRange(meta iacTypes.Metadata) PortRange {
+	return NewPortRange(0, 65535, meta)
+}
+
+func InvalidPortRange(meta iacTypes.Metadata) PortRange {
+	return NewPortRange(-1, -1, meta)
+}
+
+func (r PortRange) Valid() bool {
+	return !r.Start.EqualTo(-1) && !r.End.EqualTo(-1)
+}
+
+type parseConfig struct {
+	allowWildcard bool
+}
+
+type ParseOption func(*parseConfig)
+
+func WithWildcard() ParseOption {
+	return func(cfg *parseConfig) {
+		cfg.allowWildcard = true
+	}
+}
+
+func ParsePortRange(input string, meta iacTypes.Metadata, opts ...ParseOption) PortRange {
+	cfg := &parseConfig{}
+	for _, opt := range opts {
+		opt(cfg)
+	}
+
+	input = strings.TrimSpace(input)
+
+	switch {
+	case input == "*" && cfg.allowWildcard:
+		return FullPortRange(meta)
+	case strings.Contains(input, "-"):
+		parts := strings.SplitN(input, "-", 2)
+		if len(parts) != 2 {
+			return InvalidPortRange(meta)
+		}
+		start, err1 := strconv.Atoi(strings.TrimSpace(parts[0]))
+		end, err2 := strconv.Atoi(strings.TrimSpace(parts[1]))
+		if err1 != nil || err2 != nil {
+			return InvalidPortRange(meta)
+		}
+		return NewPortRange(start, end, meta)
+
+	default:
+		val, err := strconv.Atoi(input)
+		if err != nil {
+			return InvalidPortRange(meta)
+		}
+		return NewPortRange(val, val, meta)
+	}
+}

pkg/iac/adapters/common/network_test.go

@@ -0,0 +1,93 @@
+package common_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/aquasecurity/trivy/pkg/iac/adapters/common"
+	iacTypes "github.com/aquasecurity/trivy/pkg/iac/types"
+)
+
+func TestParsePortRange(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		options  []common.ParseOption
+		expected common.PortRange
+		valid    bool
+	}{
+		{
+			name:  "single port",
+			input: "80",
+			expected: common.PortRange{
+				Start: iacTypes.IntTest(80),
+				End:   iacTypes.IntTest(80),
+			},
+			valid: true,
+		},
+		{
+			name:  "port range",
+			input: "1000-2000",
+			expected: common.PortRange{
+				Start: iacTypes.IntTest(1000),
+				End:   iacTypes.IntTest(2000),
+			},
+			valid: true,
+		},
+		{
+			name:  "port range with spaces",
+			input: " 22 - 80 ",
+			expected: common.PortRange{
+				Start: iacTypes.IntTest(22),
+				End:   iacTypes.IntTest(80),
+			},
+			valid: true,
+		},
+		{
+			name:    "wildcard allowed",
+			input:   "*",
+			options: []common.ParseOption{common.WithWildcard()},
+			expected: common.PortRange{
+				Start: iacTypes.IntTest(0),
+				End:   iacTypes.IntTest(65535),
+			},
+			valid: true,
+		},
+		{
+			name:  "wildcard disallowed",
+			input: "*",
+			valid: false,
+		},
+		{
+			name:  "invalid string",
+			input: "abc",
+			valid: false,
+		},
+		{
+			name:  "incomplete range",
+			input: "80-",
+			valid: false,
+		},
+		{
+			name:  "double dash",
+			input: "--",
+			valid: false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			meta := iacTypes.NewTestMetadata()
+			pr := common.ParsePortRange(tc.input, meta, tc.options...)
+
+			if tc.valid {
+				assert.True(t, pr.Valid())
+				tc.expected.Metadata = meta
+				assert.Equal(t, tc.expected, pr)
+			} else {
+				assert.False(t, pr.Valid())
+			}
+		})
+	}
+}