Beta - SQL DB Instance With Exposed Show Privileges

Query id: b5b70198-2a34-4792-b0d9-ce99abe485bb
Query name: Beta - SQL DB Instance With Exposed Show Privileges
Platform: Terraform
Severity: Medium
Category: Insecure Defaults
CWE: 732
Risk score: 3.0
URL: Github

Description¶

All 'google_sql_database_instance' resources based on MYSQL should enable the 'skip_show_database' flag to prevent unwanted exposure
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

resource "google_sql_database_instance" "positive_1" {
  name             = "mysql-instance-without-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  # Missing 'settings' field
}

resource "google_sql_database_instance" "positive_2" {
  name             = "mysql-instance-without-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {}  # Missing 'database_flags' field
}

resource "google_sql_database_instance" "positive_3" {
  name             = "mysql-instance-without-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    database_flags {
      name = "sample_flag1"
      value = "off"
      } # Missing 'skip_show_database' flag
  }
}

resource "google_sql_database_instance" "positive_4" {
  name             = "mysql-instance-with-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    database_flags {
      name = "sample_flag1"
      value = "off"
      }

    database_flags {
      name = "skip_show_database"        # Flag is not set to "on"
      value = "off"
      }

    database_flags {
      name = "sample_flag2"
      value = "off"
      }
  }
}

resource "google_sql_database_instance" "positive_5" { # Single object support test
  name             = "mysql-instance-with-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    database_flags{
      name = "skip_show_database"
      value = "off"
   } # Flag is not set to "on"
  }
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "google_sql_database_instance" "negative_1" {
  name             = "main-instance"
  database_version = "POSTGRES_15"      # Is not a MYSQL instance
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
  }
}

resource "google_sql_database_instance" "negative_2" {
  name             = "mysql-instance-with-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"

    database_flags {
      name = "sample_flag1"
      value = "off"
      }

    database_flags {
      name = "skip_show_database"         # Has flag set to "on"
      value = "on"
      }

    database_flags {
      name = "sample_flag2"
      value = "off"
      }
  }
}

resource "google_sql_database_instance" "negative_3" { # Single object support test
  name             = "mysql-instance-with-flag"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"

    database_flags {
      name = "skip_show_database"
      value = "on"
      }   # Has flag set to "on"
  }
}