Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Comments

fix(query): fp for Storage Share File Allows All ACL Permissions#7612

Merged
cx-artur-ribeiro merged 7 commits intomasterfrom
AST-40740--FP-Storage_Share_File_Allows_All_ACL_Permissions--ARM
Aug 14, 2025
Merged

fix(query): fp for Storage Share File Allows All ACL Permissions#7612
cx-artur-ribeiro merged 7 commits intomasterfrom
AST-40740--FP-Storage_Share_File_Allows_All_ACL_Permissions--ARM

Conversation

@cx-andre-pereira
Copy link
Contributor

@cx-andre-pereira cx-andre-pereira commented Jul 30, 2025
edited
Loading

Reason for Proposed Changes

  • Currently the query references the azurerm_storage_share_file resource which does not, itself, declare the ACL permissions associated with the query´s naming/purpose.
  • The query, as is currently, finds the storage_share_id within an azurerm_storage_share_file , and validates wether the azurerm_storage_share resource associated with that id is declaring permissions = "rwdl".
  • The query naming is deceiving because it seems as though the azurerm_storage_share_file resource is the one with dangerously permissive permissions field but it is actually the azurerm_storage_share that defines permissions for azurerm_storage_share_file resources, and the query should reference the resource that directly "Allows All ACL Permissions" as stated in the query´s name.

Proposed Changes

  • I have adjusted the query name and the related files (metadata/expected_result/folder) to correctly point out the resource at fault , the azurerm_storage_share.
  • The query logic was already correctly flagging this field(searchKey,keyExpectedValue,...)making this change even more warranted .

I submit this contribution under the Apache-2.0 license.

@cx-andre-pereira cx-andre-pereira requested a review from a team as a code owner July 30, 2025 14:35
@github-actions github-actions bot added query New query feature terraform Terraform query labels Jul 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Jul 30, 2025

kics-logo

KICS version: v2.1.11

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

cx-artur-ribeiro
cx-artur-ribeiro requested changes Aug 5, 2025
View reviewed changes
Copy link
Contributor

@cx-artur-ribeiro cx-artur-ribeiro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After reviewing the changes, it seems like we were already looking at the desired azurerm_storage_share resource and checking the permissions parameter.
Is it obligated to use the name of the resource azurerm_storage_share_file in the resource azurerm_storage_share in order for it to be used? I didn't find the documentation stating that but I understand that the query was already done this way so you didn't introduce this change.
If you could please make the changes requested I would approve the changes.

@Checkmarx Checkmarx deleted a comment from gitguardian bot Aug 6, 2025
@gitguardian
Copy link

gitguardian bot commented Aug 14, 2025

⚠️ GitGuardian has uncovered 3 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
19562607 Triggered Generic Password 250d49a assets/queries/common/passwords_and_secrets/test/positive53.json View secret
4266022 Triggered Generic Password 527d8fa assets/queries/cloudFormation/aws/amplify_branch_basic_auth_config_password_exposed/test/negative7.yaml View secret
9419039 Triggered Username Password 527d8fa assets/queries/cloudFormation/aws/amplify_app_basic_auth_config_password_exposed/test/positive6.json View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secrets safely. Learn here the best practices.
  3. Revoke and rotate these secrets.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@cx-artur-ribeiro cx-artur-ribeiro merged commit 4fd3bdc into master Aug 14, 2025
27 checks passed
@cx-artur-ribeiro cx-artur-ribeiro deleted the AST-40740--FP-Storage_Share_File_Allows_All_ACL_Permissions--ARM branch August 14, 2025 16:25
@cx-andre-pereira cx-andre-pereira mentioned this pull request Aug 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-artur-ribeiro cx-artur-ribeiro cx-artur-ribeiro approved these changes

Assignees

@cx-andre-pereira cx-andre-pereira

Labels

query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cx-andre-pereira @cx-artur-ribeiro