aquasecurity
feat(checks): Add checks to detect suspicious Kubernetes URL annotations
Annotations in Kubernetes are widely used across many different resources. As seen in https://github.com/aquasecurity/trivy-checks/pull/374 they can be misused.
We can write a check that checks all resources and their annotations for suspicious and unexpected values. As a part of this check, we can also improve the regex (or take a different approach) as was done here.
@simar7 Any examples of what suspicious annotations might look like?
@nikpivkin I actually missed an important detail, we should start off with annotations like auth_url or any other url* type annotation first as they're straightforward to define being URLs. If they are no URLs we should flag them.
So something like [-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*) taken off of here.
Can we add checks for all annotations as the issue says? I have seen that some annotations allow characters that might be considered suspicious in some cases, such as line breaks.
Can we add checks for all annotations as the issue says? I have seen that some annotations allow characters that might be considered suspicious in some cases, such as line breaks.
Sure, but what else would you consider suspicious? With URLs it's easy to determine but with plain text annotation fields, detection of something like injection comes to mind.
The
ingress-nginxrepository uses a fairly simple regular expression.
Yes I saw it, I'm not sure why it's this simplified. Then again it maybe enough to cover all cases.
Any examples of what suspicious annotations might look like?
This isn't about suspecious values, but about malformed values. Annotation values are always strings but in some cases expect a certain type of value. for example, the auth_url annotation clearly expects a url, but there's no validation, so the user can (intentionally or accidentally) set it to an invalid url. we've added a few validations based on the annotations used in ingress-nginx, but it's a good idea to validate any label that expects a specific type.
good idea to validate any label that expects a specific type.
How can we know the type for any label? Except if we create a list of such annotations ourselves.
good idea to validate any label that expects a specific type.
How can we know the type for any label? Except if we create a list of such annotations ourselves.
I think we can start with any annotation that has a key where a URL is the expected value.
good idea to validate any label that expects a specific type.
How can we know the type for any label? Except if we create a list of such annotations ourselves.
I think we can start with any annotation that has a key where a URL is the expected value.
@nikpivkin there's also this list which we could build checks against https://kubernetes.io/docs/reference/labels-annotations-taints/
As for other URLs that aren't well-known according to that list, we could do a basic regex grab for something that has "url" in the key of the annotation. This may lead to false positives but I don't have a better solution at this time.