rspec/rules/S6329/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.Instance(this, "example", {
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC} // Sensitive
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnInstance(this, "example", {
    instanceType: "t2.micro",
    imageId: "ami-0ea0f26a6d50850c5",
    networkInterfaces: [
        {
            deviceIndex: "0",
            associatePublicIpAddress: true, // Sensitive
            deleteOnTermination: true,
            subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PUBLIC}).subnetIds[0]
        }
    ]
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new dms.CfnReplicationInstance(
    this, "example", {
    replicationInstanceClass: "dms.t2.micro",
    allocatedStorage: 5,
    publiclyAccessible: true, // Sensitive
    replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
    vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const rdsSubnetGroupPublic = new rds.CfnDBSubnetGroup(this, "publicSubnet", {
    dbSubnetGroupDescription: "Subnets",
    dbSubnetGroupName: "publicSn",
    subnetIds: vpc.selectSubnets({
        subnetType: ec2.SubnetType.PUBLIC
    }).subnetIds
})

new rds.CfnDBInstance(this, "example", {
    engine: "postgres",
    masterUsername: "foobar",
    masterUserPassword: "12345678",
    dbInstanceClass: "db.r5.large",
    allocatedStorage: "200",
    iops: 1000,
    dbSubnetGroupName: rdsSubnetGroupPublic.ref,
    publiclyAccessible: true, // Sensitive
    vpcSecurityGroups: [sg.securityGroupId]
})
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.Instance(
    this,
    "example", {
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnInstance(this, "example", {
    instanceType: "t2.micro",
    imageId: "ami-0ea0f26a6d50850c5",
    networkInterfaces: [
        {
            deviceIndex: "0",
            associatePublicIpAddress: false,
            deleteOnTermination: true,
            subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}).subnetIds[0]
        }
    ]
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new dms.CfnReplicationInstance(
    this, "example", {
    replicationInstanceClass: "dms.t2.micro",
    allocatedStorage: 5,
    publiclyAccessible: false,
    replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
    vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:
[source,javascript]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const rdsSubnetGroupPrivate = new rds.CfnDBSubnetGroup(this, "example",{
    dbSubnetGroupDescription: "Subnets",
    dbSubnetGroupName: "privateSn",
    subnetIds: vpc.selectSubnets({
        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
    }).subnetIds
})

new rds.CfnDBInstance(this, "example", {
    engine: "postgres",
    masterUsername: "foobar",
    masterUserPassword: "12345678",
    dbInstanceClass: "db.r5.large",
    allocatedStorage: "200",
    iops: 1000,
    dbSubnetGroupName: rdsSubnetGroupPrivate.ref,
    publiclyAccessible: false,
    vpcSecurityGroups: [sg.securityGroupId]
})
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message
* Make sure allowing public network access is safe here.

=== Highlight

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instances]:

* Highlight the `vpcSubnets` property when set to a selection of public subnets.

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]

* Highlight the `associatePublicIpAddress` property when set to `true`

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]

* Highlight the `publiclyAccessible` property when set to `True`
* Highlight the constructor code when the `publiclyAccessible` property is
    not set

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws-cdk-lib.aws_rds.DatabaseInstance]

* Highlight the `publiclyAccessible` property when it's set
* Highlight the `vpcSubnets` attribute if the `publiclyAccessible` property if not set

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]

* Highlight the `publiclyAccessible` property


endif::env-github,rspecator-view[]
Create rule S6329: Allowing public network access to cloud resources is security-sensitive (APPSEC-169) (#1318) 2022-10-10 11:00:08 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new ec2.Instance(this, "example", {`
			`instanceType: nanoT2,`
			`machineImage: ec2.MachineImage.latestAmazonLinux(),`
			`vpc: vpc,`
			`vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC} // Sensitive`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new ec2.CfnInstance(this, "example", {`
			`instanceType: "t2.micro",`
			`imageId: "ami-0ea0f26a6d50850c5",`
			`networkInterfaces: [`
			`{`
			`deviceIndex: "0",`
			`associatePublicIpAddress: true, // Sensitive`
			`deleteOnTermination: true,`
			`subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PUBLIC}).subnetIds[0]`
			`}`
			`]`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new dms.CfnReplicationInstance(`
			`this, "example", {`
			`replicationInstanceClass: "dms.t2.micro",`
			`allocatedStorage: 5,`
			`publiclyAccessible: true, // Sensitive`
			`replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,`
			`vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`const rdsSubnetGroupPublic = new rds.CfnDBSubnetGroup(this, "publicSubnet", {`
			`dbSubnetGroupDescription: "Subnets",`
			`dbSubnetGroupName: "publicSn",`
			`subnetIds: vpc.selectSubnets({`
			`subnetType: ec2.SubnetType.PUBLIC`
			`}).subnetIds`
			`})`

			`new rds.CfnDBInstance(this, "example", {`
			`engine: "postgres",`
			`masterUsername: "foobar",`
			`masterUserPassword: "12345678",`
			`dbInstanceClass: "db.r5.large",`
			`allocatedStorage: "200",`
			`iops: 1000,`
			`dbSubnetGroupName: rdsSubnetGroupPublic.ref,`
			`publiclyAccessible: true, // Sensitive`
			`vpcSecurityGroups: [sg.securityGroupId]`
			`})`
			`----`

			`== Compliant Solution`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and similar constructs:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new ec2.Instance(`
			`this,`
			`"example", {`
			`instanceType: nanoT2,`
			`machineImage: ec2.MachineImage.latestAmazonLinux(),`
			`vpc: vpc,`
			`vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new ec2.CfnInstance(this, "example", {`
			`instanceType: "t2.micro",`
			`imageId: "ami-0ea0f26a6d50850c5",`
			`networkInterfaces: [`
			`{`
			`deviceIndex: "0",`
			`associatePublicIpAddress: false,`
			`deleteOnTermination: true,`
			`subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}).subnetIds[0]`
			`}`
			`]`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`new dms.CfnReplicationInstance(`
			`this, "example", {`
			`replicationInstanceClass: "dms.t2.micro",`
			`allocatedStorage: 5,`
			`publiclyAccessible: false,`
			`replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,`
			`vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]`
			`})`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]:`
			`[source,javascript]`
			`----`
			`import {aws_ec2 as ec2} from 'aws-cdk-lib'`

			`const rdsSubnetGroupPrivate = new rds.CfnDBSubnetGroup(this, "example",{`
			`dbSubnetGroupDescription: "Subnets",`
			`dbSubnetGroupName: "privateSn",`
			`subnetIds: vpc.selectSubnets({`
			`subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS`
			`}).subnetIds`
			`})`

			`new rds.CfnDBInstance(this, "example", {`
			`engine: "postgres",`
			`masterUsername: "foobar",`
			`masterUserPassword: "12345678",`
			`dbInstanceClass: "db.r5.large",`
			`allocatedStorage: "200",`
			`iops: 1000,`
			`dbSubnetGroupName: rdsSubnetGroupPrivate.ref,`
			`publiclyAccessible: false,`
			`vpcSecurityGroups: [sg.securityGroupId]`
			`})`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`
			`* Make sure allowing public network access is safe here.`

			`=== Highlight`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instances]:`

			* Highlight the `vpcSubnets` property when set to a selection of public subnets.

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnInstance.html[aws-cdk-lib.aws_ec2.CfnInstance]`

			* Highlight the `associatePublicIpAddress` property when set to `true`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dms.CfnReplicationInstance.html[aws-cdk-lib.aws_dms.CfnReplicationInstance]`

			* Highlight the `publiclyAccessible` property when set to `True`
			* Highlight the constructor code when the `publiclyAccessible` property is
			`not set`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.DatabaseInstance.html[aws-cdk-lib.aws_rds.DatabaseInstance]`

			* Highlight the `publiclyAccessible` property when it's set
			* Highlight the `vpcSubnets` attribute if the `publiclyAccessible` property if not set

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_rds.CfnDBInstance.html[aws-cdk-lib.aws_rds.CfnDBInstance]`

			* Highlight the `publiclyAccessible` property

Create rule S6329: Allowing public network access to cloud resources is security-sensitive (APPSEC-169) (#1318) 2022-10-10 11:00:08 +02:00
			`endif::env-github,rspecator-view[]`