From aee9eba90a6aadc961f4f2783d0f39675b666479 Mon Sep 17 00:00:00 2001 From: pedro-oliveira-sonarsource <104737234+pedro-oliveira-sonarsource@users.noreply.github.com> Date: Fri, 8 Jul 2022 11:17:31 +0200 Subject: [PATCH] Create rule S6252: Add JS as covered language (APPSEC-42) (#1093) --- rules/S6252/javascript/metadata.json | 3 ++ rules/S6252/javascript/rule.adoc | 57 ++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 rules/S6252/javascript/metadata.json create mode 100644 rules/S6252/javascript/rule.adoc diff --git a/rules/S6252/javascript/metadata.json b/rules/S6252/javascript/metadata.json new file mode 100644 index 0000000000..1797133380 --- /dev/null +++ b/rules/S6252/javascript/metadata.json @@ -0,0 +1,3 @@ +{ + +} diff --git a/rules/S6252/javascript/rule.adoc b/rules/S6252/javascript/rule.adoc new file mode 100644 index 0000000000..38f8ce7718 --- /dev/null +++ b/rules/S6252/javascript/rule.adoc @@ -0,0 +1,57 @@ +S3 buckets can be versioned. +When the S3 bucket is unversioned it means that a new version of an object overwrites an existing one in the S3 bucket. + +It can lead to unintentional or intentional information loss. + +include::../ask-yourself.adoc[] + +include::../recommended.adoc[] + +== Sensitive Code Example + +[source,javascript] +---- +const s3 = require('aws-cdk-lib/aws-s3'); + +new s3.Bucket(this, 'id', { + bucketName: 'bucket', + versioned: false // Sensitive +}); +---- +The default value of `versioned` is `false` so the absence of this parameter is also sensitive. + +== Compliant Solution + +[source,javascript] +---- +const s3 = require('aws-cdk-lib/aws-s3'); + +new s3.Bucket(this, 'id', { + bucketName: 'bucket', + versioned: true +}); +---- + +include::../see.adoc[] + +* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html#versioned[AWS CDK version 2] - Using versioning in S3 buckets + +ifdef::env-github,rspecator-view[] + +''' +== Implementation Specification +(visible only on this page) + +=== Highlighting + +* If the argument is set to false: the argument assignment +* If the argument is a variable: primary the assignment of the argument, secondary the assignment of the value to the variable +* If the argument is missing: the constructor of the bucket + +=== Message + +* If primary: Make sure an unversioned S3 bucket is safe here. +* If secondary: Propagated setting +* If missing: Omitting the "versioned" argument disables S3 bucket versioning. Make sure it is safe here. + +endif::env-github,rspecator-view[]