Merge pull request #421 from kubescape/feature/edge-cases

Adding more generic check
kubescape · Nov 28, 2024 · aaa5a26 · aaa5a26
2 parents 0a8948b + c90d06a
commit aaa5a26
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 39 deletions.
diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access.go
@@ -59,52 +59,25 @@ func getTokenBasePath(path string) string {
 
 // normalizeTokenPath removes timestamp directories from the path while maintaining
 // the essential structure. Handles both timestamp directories and dynamic identifiers.
-func normalizeTokenPath(path string) string {
-	// Get the base path - if not a token path, return original
-	basePath := getTokenBasePath(path)
-	if basePath == "" {
-		return path
-	}
-
-	// Get the final component (usually "token", "ca.crt", etc.)
-	finalComponent := filepath.Base(path)
+func normalizeTimestampPath(path string) string {
+	parts := strings.Split(filepath.Clean(path), string(filepath.Separator))
+	var normalized []string
 
-	// Split the middle part (between base path and final component)
-	middle := strings.TrimPrefix(filepath.Dir(path), basePath)
-	if middle == "" {
-		return filepath.Join(basePath, finalComponent)
-	}
-
-	// Check if the path contains a dynamic identifier
-	if strings.Contains(middle, dynamicpathdetector.DynamicIdentifier) {
-		// If it has a dynamic identifier, keep the base structure but normalize the variable part
-		return filepath.Join(basePath, dynamicpathdetector.DynamicIdentifier, finalComponent)
-	}
-
-	// Process middle parts
-	var normalizedMiddle strings.Builder
-	parts := strings.Split(middle, "/")
 	for _, part := range parts {
 		if part == "" {
 			continue
 		}
-		// Skip timestamp directories (starting with ".." and containing "_")
+
+		// Replace timestamp directories with their base form
 		if strings.HasPrefix(part, "..") && strings.Contains(part, "_") {
-			normalizedMiddle.WriteString("/")
-			normalizedMiddle.WriteString(dynamicpathdetector.DynamicIdentifier)
-			break // We only need one dynamic identifier
+			normalized = append(normalized, "..timestamp")
+			continue
 		}
-		normalizedMiddle.WriteString("/")
-		normalizedMiddle.WriteString(part)
-	}
 
-	// If no middle parts remain, join base and final
-	if normalizedMiddle.Len() == 0 {
-		return filepath.Join(basePath, finalComponent)
+		normalized = append(normalized, part)
 	}
 
-	// Join all parts
-	return basePath + normalizedMiddle.String() + "/" + finalComponent
+	return "/" + strings.Join(normalized, "/")
 }
 
 func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess {
@@ -149,12 +122,12 @@ func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType uti
 	}
 
 	// Normalize the accessed path once
-	normalizedAccessedPath := normalizeTokenPath(openEvent.FullPath)
-	dirPath := filepath.Dir(normalizedAccessedPath)
+	normalizedAccessedPath := normalizeTimestampPath(openEvent.FullPath)
 
 	// Check against whitelisted paths
 	for _, open := range appProfileOpenList.Opens {
-		if dirPath == filepath.Dir(normalizeTokenPath(open.Path)) {
+		normalizedWhitelistedPath := normalizeTimestampPath(open.Path)
+		if dynamicpathdetector.CompareDynamic(filepath.Dir(normalizedWhitelistedPath), filepath.Dir(normalizedAccessedPath)) {
 			return nil
 		}
 	}

diff --git a/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go b/pkg/ruleengine/v1/r0006_unexpected_service_account_token_access_test.go
@@ -113,6 +113,18 @@ func TestR0006UnexpectedServiceAccountTokenMount(t *testing.T) {
 			}}),
 			expectFailure: false, // Should pass because normalized directory matches
 		},
+		// Tests with EKS paths and timestamps
+		{
+			name: "whitelisted eks token access with timestamps with compress hello world",
+			event: createTestEvent0006("test",
+				"/var/run/secrets/eks.amazonaws.com/serviceaccount/..2024_11_1111_24_34_58.850095521/token",
+				[]string{"O_RDONLY"}),
+			profile: createTestProfile0006("test", []v1beta1.OpenCalls{{
+				Path:  fmt.Sprintf("/%s/%s/%s/%s/%s/%s/token", dynamicpathdetector.DynamicIdentifier, dynamicpathdetector.DynamicIdentifier, dynamicpathdetector.DynamicIdentifier, dynamicpathdetector.DynamicIdentifier, dynamicpathdetector.DynamicIdentifier, dynamicpathdetector.DynamicIdentifier),
+				Flags: []string{"O_RDONLY"},
+			}}),
+			expectFailure: false, // Should pass because normalized directory matches
+		},
 		// Tests with k8s paths and timestamps
 		{
 			name: "non whitelisted k8s token access with timestamps",