rspec/rules/S7003/secrets/rule.adoc


include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

As described in the
https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#authorization-keys[Azure Functions documentation],
Azure Functions let you use keys to make it harder to access your HTTP function endpoints *during development*. 

While keys provide a default security mechanism, distributing them in public
apps is a bad practice and can lead to security and maintainability issues.

=== What is the potential impact?

The impact of this access depends on what the Azure Function does and what
permissions the key has.

There are three types of keys that can be used to authenticate requests to an
Azure Function:

* **Function key**: Provides access to a specific function.
* **Host key**: Provides access to all functions within a function app.
* **System key**: Provides access to all functions within a function app and allows for administrative actions.

Leaking these keys can result in unintended access to the functions and data they control.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the key.

:secret_type: authentication key

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/data_modification.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

== How to fix it

=== Use app-level security

As described in the https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production[Azure Functions documentation],
you can secure your HTTP function endpoints by using app-level security, and
remove the need to use hardcoded keys.

The first step is thus to set the HTTP-triggered function authorization level to
`anonymous`.

Then, examples of app-level security include:

* authentication/authorization, either from the framework of your choice or https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#why-use-the-built-in-authentication[Built-in Azure App Service Authentication/Authorization]
* Azure https://learn.microsoft.com/en-us/azure/api-management/api-management-policies#authentication-policies[API Management Authentication Policies]
* request authentication with the https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway[Azure App Service Environment]

=== Code examples

==== Noncompliant code example

[source,bash]
----
curl -G \
  'https://example.azurewebsites.net/api/example'  \
  -d code=2PLqsO9INfpK8sgTS2BCsZXS6Dgzgz3bydKcq5TBcY8WAzFuqGlKRw==' # Noncompliant
----
  
== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks
Create rule S7003: Detect Azure Functions Secrets (APPSEC-1847) (#4040) * Create rule S7003 * Add first draft * Apply suggestions from code review Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Apply suggestions from code review * Update rules/S7003/secrets/rule.adoc * Update rules/S7003/secrets/rule.adoc * Update rules/S7003/secrets/rule.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> 2024-07-29 14:05:20 +01:00
			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`As described in the`
			`https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#authorization-keys[Azure Functions documentation],`
			`Azure Functions let you use keys to make it harder to access your HTTP function endpoints during development.`

			`While keys provide a default security mechanism, distributing them in public`
			`apps is a bad practice and can lead to security and maintainability issues.`

			`=== What is the potential impact?`

			`The impact of this access depends on what the Azure Function does and what`
			`permissions the key has.`

			`There are three types of keys that can be used to authenticate requests to an`
			`Azure Function:`

			`* Function key: Provides access to a specific function.`
			`* Host key: Provides access to all functions within a function app.`
			`* System key: Provides access to all functions within a function app and allows for administrative actions.`

			`Leaking these keys can result in unintended access to the functions and data they control.`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting the key.`

			`:secret_type: authentication key`

			`include::../../../shared_content/secrets/impact/data_compromise.adoc[]`

			`include::../../../shared_content/secrets/impact/data_modification.adoc[]`

			`include::../../../shared_content/secrets/impact/financial_loss.adoc[]`

			`== How to fix it`

			`=== Use app-level security`

			`As described in the https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production[Azure Functions documentation],`
			`you can secure your HTTP function endpoints by using app-level security, and`
			`remove the need to use hardcoded keys.`

			`The first step is thus to set the HTTP-triggered function authorization level to`
			`anonymous`.

			`Then, examples of app-level security include:`

			`* authentication/authorization, either from the framework of your choice or https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#why-use-the-built-in-authentication[Built-in Azure App Service Authentication/Authorization]`
			`* Azure https://learn.microsoft.com/en-us/azure/api-management/api-management-policies#authentication-policies[API Management Authentication Policies]`
			`* request authentication with the https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway[Azure App Service Environment]`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,bash]`
			`----`
			`curl -G \`
			`'https://example.azurewebsites.net/api/example' \`
			`-d code=2PLqsO9INfpK8sgTS2BCsZXS6Dgzgz3bydKcq5TBcY8WAzFuqGlKRw==' # Noncompliant`
			`----`

			`== Resources`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`//=== Benchmarks`