rspec/rules/S6333/javascript/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html[aws-cdk-lib.aws_apigateway.Resource]:
[source,javascript]
----
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example")
resource.addMethod(
    "GET",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.NONE // Sensitive
    }
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html[aws-cdk-lib.aws_apigatewayv2.CfnRoute]:

[source,javascript]
----
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "no-auth", {
    apiId: api.ref,
    routeKey: "GET /no-auth",
    authorizationType: "NONE", // Sensitive
    target: exampleIntegration
})
----

== Compliant Solution
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html[aws-cdk-lib.aws_apigateway.Resource]:
[source,javascript]
----
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example",{
    defaultMethodOptions:{
        authorizationType: apigateway.AuthorizationType.IAM
    }
})
resource.addMethod(
    "POST",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.IAM
    }
)
resource.addMethod(  // authorizationType is inherited from the Resource's configured defaultMethodOptions
    "GET"
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html[aws-cdk-lib.aws_apigatewayv2.CfnRoute]:

[source,javascript]
----
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "auth", {
    apiId: api.ref,
    routeKey: "POST /auth",
    authorizationType: "AWS_IAM",
    target: exampleIntegration
})
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''

== Implementation Specification
(visible only on this page)

=== Message

* Make sure that creating public APIs is safe here.
* Omitting "authorizationType" disables authentication. Make sure it is safe here.


endif::env-github,rspecator-view[]
Create rule S6333: Creating public APIs is security sensitive [APPSEC-170] (#1308) 2022-10-10 15:50:22 +02:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`
			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html[aws-cdk-lib.aws_apigateway.Resource]:`
			`[source,javascript]`
			`----`
			`import {aws_apigateway as apigateway} from "aws-cdk-lib"`

			`const resource = api.root.addResource("example")`
			`resource.addMethod(`
			`"GET",`
			`new apigateway.HttpIntegration("https://example.org"),`
			`{`
			`authorizationType: apigateway.AuthorizationType.NONE // Sensitive`
			`}`
			`)`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html[aws-cdk-lib.aws_apigatewayv2.CfnRoute]:`

			`[source,javascript]`
			`----`
			`import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"`

			`new apigateway.CfnRoute(this, "no-auth", {`
			`apiId: api.ref,`
			`routeKey: "GET /no-auth",`
			`authorizationType: "NONE", // Sensitive`
			`target: exampleIntegration`
			`})`
			`----`

			`== Compliant Solution`
			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.Resource.html[aws-cdk-lib.aws_apigateway.Resource]:`
			`[source,javascript]`
			`----`
			`import {aws_apigateway as apigateway} from "aws-cdk-lib"`

			`const resource = api.root.addResource("example",{`
			`defaultMethodOptions:{`
			`authorizationType: apigateway.AuthorizationType.IAM`
			`}`
			`})`
			`resource.addMethod(`
			`"POST",`
			`new apigateway.HttpIntegration("https://example.org"),`
			`{`
			`authorizationType: apigateway.AuthorizationType.IAM`
			`}`
			`)`
			`resource.addMethod( // authorizationType is inherited from the Resource's configured defaultMethodOptions`
			`"GET"`
			`)`
			`----`

			`For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigatewayv2.CfnRoute.html[aws-cdk-lib.aws_apigatewayv2.CfnRoute]:`

			`[source,javascript]`
			`----`
			`import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"`

			`new apigateway.CfnRoute(this, "auth", {`
			`apiId: api.ref,`
			`routeKey: "POST /auth",`
			`authorizationType: "AWS_IAM",`
			`target: exampleIntegration`
			`})`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`

			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`* Make sure that creating public APIs is safe here.`
			`* Omitting "authorizationType" disables authentication. Make sure it is safe here.`

Create rule S6333: Creating public APIs is security sensitive [APPSEC-170] (#1308) 2022-10-10 15:50:22 +02:00
			`endif::env-github,rspecator-view[]`