ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Modify S4423[Python]: Support of AWS CDK code (APPSEC-103) (#1273)

Browse Source
This commit is contained in:
Pierre-Loup 2022-09-20 15:44:27 +02:00 committed by GitHub
parent 4227feabb1
commit 7aa3adc6bf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 74 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
rules/S4423/python/message.adoc Normal file
View File

@ -0,0 +1,14 @@
=== Message
==== OpenSSL and ssl modules
Change this code to use a stronger protocol.
==== AWS APIGateway
Change this code to enforce TLS 1.2 or above.
==== AWS OpenSearch / Elasticsearch
Omitting "tls_security_policy" enables a deprecated version of TLS. Set it to enforce TLS 1.2 or above.
Change this code to enforce TLS 1.2 or above.

71
rules/S4423/python/rule.adoc
View File

@ -1,11 +1,4 @@
Older versions of SSL/TLS protocol like "SSLv3" have been proven to be insecure.
This rule raises an issue when an SSL/TLS context is created with an insecure protocol version, i.e. when one of the following constants is detected in the code:
* ``++OpenSSL.SSL.SSLv3_METHOD++`` (Use instead ``++OpenSSL.SSL.TLSv1_2_METHOD++``)
* ``++ssl.PROTOCOL_SSLv3++`` (Use instead ``++ssl.PROTOCOL_TLSv1_2++``)
Protocol versions different from TLSv1.2 and TLSv1.3 are considered insecure.
include::../description.adoc[]
== Noncompliant Code Example
@ -23,23 +16,79 @@ import ssl
ssl.SSLContext(ssl.PROTOCOL_SSLv3) # Noncompliant
----
For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
DomainName(self, "example",
domain_name="example.com",
certificate=certificate,
security_policy=SecurityPolicy.TLS_1_0 # Noncompliant
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "example",
version=EngineVersion.OPENSEARCH_1_3
) # Noncompliant: enables TLS 1.0 which is a deprecated version of the protocol
----
== Compliant Solution
[source,python]
----
from OpenSSL import SSL
SSL.Context(SSL.TLSv1_2_METHOD) # Compliant
SSL.Context(SSL.TLSv1_2_METHOD)
----
[source,python]
----
import ssl
ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) # Compliant
ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
----
For https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_apigateway/DomainName.html[aws_cdk.aws_apigateway.DomainName]:
[source,python]
----
from aws_cdk.aws_apigateway import DomainName, SecurityPolicy
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
DomainName(self, "example",
domain_name="example.com",
certificate=certificate,
security_policy=SecurityPolicy.TLS_1_2
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_opensearchservice/CfnDomain.html[aws_cdk.aws_opensearchservice.CfnDomain]:
[source,python]
----
from aws_cdk.aws_opensearchservice import CfnDomain, EngineVersion
class ExampleStack(Stack):
def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
CfnDomain(self, "example",
version=EngineVersion.OPENSEARCH_1_3
domain_endpoint_options=CfnDomain.DomainEndpointOptionsProperty(
tls_security_policy="Policy-Min-TLS-1-2-2019-07" # Compliant
)
)
----
include::../see.adoc[]
* https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html[Amazon API Gateway] - Choosing a minimum TLS version
ifdef::env-github,rspecator-view[]
@ -47,7 +96,7 @@ ifdef::env-github,rspecator-view[]
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::message.adoc[]
include::../highlighting.adoc[]