fix(terraform): Fix keeping range a range (#7073)

tsmithv11 · OfekShimko · web-flow · commit 2c28c230a643 · 2025-04-01T00:24:55.000-07:00
* Test quick fix

* Add range exception

* Negative only

* Update checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py

Co-authored-by: Ofek Shimko &lt;70918223+OfekShimko@users.noreply.github.com&gt;

* fix indent

---------

Co-authored-by: Ofek Shimko &lt;70918223+OfekShimko@users.noreply.github.com&gt;
diff --git a/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py b/checkov/terraform/graph_builder/variable_rendering/safe_eval_functions.py
@@ -11,6 +11,7 @@
 from checkov.terraform.parser_functions import tonumber, FUNCTION_FAILED, create_map, tobool, tostring
 
 TIME_DELTA_PATTERN = re.compile(r"(\d*\.*\d+)")
+RANGE_PATTERN = re.compile(r'^\d+-\d+$')
 
 """
 This file contains a custom implementation of the builtin `eval` function.
@@ -369,7 +370,11 @@ def evaluate(input_str: str) -> Any:
 
         # Don't use str.replace to make sure we replace just the first occurrence
         input_str = f"{TRY_STR_REPLACEMENT}{input_str[3:]}"
-    evaluated = eval(input_str, {"__builtins__": None}, SAFE_EVAL_DICT)  # nosec
+    if RANGE_PATTERN.match(input_str):
+        temp_eval = eval(input_str, {"__builtins__": None}, SAFE_EVAL_DICT)  # nosec
+        evaluated = input_str if temp_eval < 0 else temp_eval
+    else:
+        evaluated = eval(input_str, {"__builtins__": None}, SAFE_EVAL_DICT)  # nosec
     return evaluated if not isinstance(evaluated, str) else remove_unicode_null(evaluated)
 
 
diff --git a/tests/terraform/graph/variable_rendering/test_string_evaluation.py b/tests/terraform/graph/variable_rendering/test_string_evaluation.py
@@ -7,6 +7,7 @@
 from checkov.terraform.graph_builder.variable_rendering.evaluate_terraform import evaluate_terraform, \
     replace_string_value, \
     remove_interpolation, _find_new_value_for_interpolation
+from checkov.terraform.graph_builder.variable_rendering.safe_eval_functions import evaluate
 
 
 class TestTerraformEvaluation(TestCase):
@@ -530,3 +531,14 @@ def test_try_then_merge_block(self):
 def test_find_new_value_for_interpolation(origin_str: str, str_to_replace: str, new_value: str, expected: str):
     actual = _find_new_value_for_interpolation(origin_str, str_to_replace, new_value)
     assert actual == expected
+
+
+def test_evaluate_range_pattern() -> None:
+
+    # Test range pattern
+    assert evaluate("1-10") == "1-10"
+    assert evaluate("5-25") == "5-25"
+    assert evaluate("10-5") == 5
+
+    # Test non-range pattern for comparison
+    assert evaluate("1+1") == 2
