hashicorp · tgross · Oct 16, 2023 · Oct 12, 2023
diff --git a/.semgrep/rpc_endpoint.yml b/.semgrep/rpc_endpoint.yml
@@ -2,9 +2,7 @@
 # SPDX-License-Identifier: BUSL-1.1
 
 rules:
-  # Check potentially unauthenticated RPC endpoints. Technically more
-  # authorization (authz) oriented than authn, but before Nomad 1.4/1.5 that
-  # distinction wasn't as important.
+  # Check potentially RPC endpoints with missing authentication/authorization.
   - id: "rpc-potentially-unauthenticated"
     patterns:
       - pattern: |
@@ -40,7 +38,6 @@ rules:
           }
           ...
 
-
       # Pattern used by endpoints that are used only for client-to-server.
       # Authorization can be done after forwarding, but must check the
       # AllowClientOp policy
@@ -56,7 +53,6 @@ rules:
           }
           ...
 
-
       # Pattern used by endpoints that are used only for client-to-server.
       # Authorization can be done after forwarding, but must check the
       # AllowClientOp policy. This should not be added to any new endpoints.
@@ -72,7 +68,8 @@ rules:
           }
           ...
 
-      # Pattern used by ACL endpoints that need to interact with the token directly
+      # Pattern used by ACL endpoints that need to interact with the token
+      # directly.
       - pattern-not-inside: |
           authErr := $A.$B.Authenticate($A.ctx, args)
           ...
@@ -82,52 +79,7 @@ rules:
           ...
           ... := args.GetIdentity().GetACLToken()
           ...
-      # Pattern used by endpoints called exclusively between agents
-      # (server -> server or client -> server)
-      - pattern-not-inside: |
-          authErr := $A.$B.Authenticate($A.ctx, args)
-          ...
-          ... := validateTLSCertificateLevel(...)
-          ...
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-      # Pattern used by endpoints that support both normal ACLs and workload
-      # identity but break authentication and authorization up
-      # TODO: currently this is just for Variables and should be removed once
-      # https://github.com/hashicorp/nomad/issues/15875 is complete.
-      - pattern-not-inside: |
-          authErr := $A.$B.Authenticate($A.ctx, args)
-          ...
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-          ...
-          ... := $T.handleMixedAuthEndpoint(...)
-          ...
-      # Second pattern used by endpoints that support both normal ACLs and
-      # workload identity but break authentication and authorization up
-      # TODO: currently this is just for Variables and should be removed once
-      # https://github.com/hashicorp/nomad/issues/15875 is complete.
-      - pattern-not-inside: |
-          authErr := $A.$B.Authenticate($A.ctx, args)
-          ...
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-          ...
-          ... := svePreApply($A, args, args.Var)
-          ...
-      # Pattern used by some Node endpoints.
-      - pattern-not-inside: |
-          authErr := $A.$B.Authenticate($A.ctx, args)
-          ...
-          if done, err := $A.$B.forward($METHOD, ...); done {
-            return err
-          }
-          ...
-          return $A.deregister(...)
-          ...
+
       - metavariable-pattern:
           metavariable: $METHOD
           patterns:
@@ -142,8 +94,6 @@ rules:
             - pattern-not: 'structs.ACLOIDCAuthURLRPCMethod'
             - pattern-not: 'structs.ACLOIDCCompleteAuthRPCMethod'
             - pattern-not: 'structs.ACLLoginRPCMethod'
-            - pattern-not: '"CSIPlugin.Get"'
-            - pattern-not: '"CSIPlugin.List"'
             - pattern-not: '"Status.Leader"'
             - pattern-not: '"Status.Peers"'
             - pattern-not: '"Status.Version"'
@@ -155,3 +105,24 @@ rules:
     paths:
       include:
         - "nomad/*_endpoint.go"
+
+
+  # ACL objects should never be nil-checked in RPC handlers before checking
+  # authorization, as nil ACLs are always programmer errors.
+  - id: "rpc-authz-bypass"
+    patterns:
+      # Pattern that will accidentally bypass authorization checks.
+      - pattern: |
+          ...
+          if aclObj != nil && aclObj.$ACL_CHECK(...) {
+          ...
+          }
+          ...
+
+    message: "RPC method ACL check $ACL_CHECK appears to bypass authorization by first checking for nil ACLs"
+    languages:
+      - "go"
+    severity: "WARNING"
+    paths:
+      include:
+        - "nomad/*_endpoint.go"