include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example [source,javascript] ---- url = "http://example.com"; // Sensitive url = "ftp://anonymous@example.com"; // Sensitive url = "telnet://anonymous@example.com"; // Sensitive ---- For https://nodemailer.com[nodemailer]: [source,javascript] ---- const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ secure: false, // Sensitive requireTLS: false // Sensitive }); ---- [source,javascript] ---- const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({}); // Sensitive ---- For https://github.com/mscdex/node-ftp[ftp]: [source,javascript] ---- var Client = require('ftp'); var c = new Client(); c.connect({ 'secure': false // Sensitive }); ---- For https://github.com/mkozjak/node-telnet-client[telnet-client]: [source,javascript] ---- const Telnet = require('telnet-client'); // Sensitive ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]: [source,javascript] ---- import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; const alb = new ApplicationLoadBalancer(this, 'ALB', { vpc: vpc, internetFacing: true }); alb.addListener('listener-http-default', { port: 8080, open: true }); // Sensitive alb.addListener('listener-http-explicit', { protocol: ApplicationProtocol.HTTP, // Sensitive port: 8080, open: true }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]: [source,javascript] ---- import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new ApplicationListener(this, 'listener-http-explicit-constructor', { loadBalancer: alb, protocol: ApplicationProtocol.HTTP, // Sensitive port: 8080, open: true }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]: [source,javascript] ---- import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; const nlb = new NetworkLoadBalancer(this, 'nlb', { vpc: vpc, internetFacing: true }); var listenerNLB = nlb.addListener('listener-tcp-default', { port: 1234 }); // Sensitive listenerNLB = nlb.addListener('listener-tcp-explicit', { protocol: Protocol.TCP, // Sensitive port: 1234 }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]: [source,javascript] ---- import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new NetworkListener(this, 'listener-tcp-explicit-constructor', { loadBalancer: nlb, protocol: Protocol.TCP, // Sensitive port: 8080 }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]: [source,javascript] ---- import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new CfnListener(this, 'listener-http', { defaultActions: defaultActions, loadBalancerArn: alb.loadBalancerArn, protocol: "HTTP", // Sensitive port: 80 }); new CfnListener(this, 'listener-tcp', { defaultActions: defaultActions, loadBalancerArn: alb.loadBalancerArn, protocol: "TCP", // Sensitive port: 80 }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]: [source, javascript] ---- import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing'; new CfnLoadBalancer(this, 'elb-tcp', { listeners: [{ instancePort: '1000', loadBalancerPort: '1000', protocol: 'tcp' // Sensitive }] }); new CfnLoadBalancer(this, 'elb-http', { listeners: [{ instancePort: '1000', loadBalancerPort: '1000', protocol: 'http' // Sensitive }] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]: [source,javascript] ---- import { LoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing'; const loadBalancer = new LoadBalancer(this, 'elb-tcp-dict', { vpc, internetFacing: true, healthCheck: { port: 80, }, listeners: [ { externalPort:10000, externalProtocol: LoadBalancingProtocol.TCP, // Sensitive internalPort:10000 }] }); loadBalancer.addListener({ externalPort:10001, externalProtocol:LoadBalancingProtocol.TCP, // Sensitive internalPort:10001 }); loadBalancer.addListener({ externalPort:10002, externalProtocol:LoadBalancingProtocol.HTTP, // Sensitive internalPort:10002 }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]: [source, javascript] ---- import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache'; new CfnReplicationGroup(this, 'unencrypted-implicit', { replicationGroupDescription: 'exampleDescription' }); // Sensitive new CfnReplicationGroup(this, 'unencrypted-explicit', { replicationGroupDescription: 'exampleDescription', transitEncryptionEnabled: false // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]: [source, javascript] ---- import { CfnStream } from 'aws-cdk-lib/aws-kinesis'; new CfnStream(this, 'cfnstream-implicit-unencrytped', undefined); // Sensitive new CfnStream(this, 'cfnstream-explicit-unencrytped', { streamEncryption: undefined // Sensitive }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]: [source, javascript] ---- import { Stream } from 'aws-cdk-lib/aws-kinesis'; new Stream(this, 'stream-explicit-unencrypted', { encryption: StreamEncryption.UNENCRYPTED // Sensitive }); ---- == Compliant Solution [source,javascript] ---- url = "https://example.com"; url = "sftp://anonymous@example.com"; url = "ssh://anonymous@example.com"; ---- For https://nodemailer.com[nodemailer] one of the following options must be set: [source,javascript] ---- const nodemailer = require("nodemailer"); let transporter = nodemailer.createTransport({ secure: true, requireTLS: true, port: 465, secured: true }); ---- For https://github.com/mscdex/node-ftp[ftp]: [source,javascript] ---- var Client = require('ftp'); var c = new Client(); c.connect({ 'secure': true }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]: [source,javascript] ---- import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; const alb = new ApplicationLoadBalancer(this, 'ALB', { vpc: vpc, internetFacing: true }); alb.addListener('listener-https-explicit', { protocol: ApplicationProtocol.HTTPS, port: 8080, open: true, certificates: [certificate] }); alb.addListener('listener-https-implicit', { port: 8080, open: true, certificates: [certificate] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]: [source,javascript] ---- import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new ApplicationListener(this, 'listener-https-explicit', { loadBalancer: loadBalancer, protocol: ApplicationProtocol.HTTPS, port: 8080, open: true, certificates: [certificate] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]: [source,javascript] ---- import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; const nlb = new NetworkLoadBalancer(this, 'nlb', { vpc: vpc, internetFacing: true }); nlb.addListener('listener-tls-explicit', { protocol: Protocol.TLS, port: 1234, certificates: [certificate] }); nlb.addListener('listener-tls-implicit', { port: 1234, certificates: [certificate] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]: [source,javascript] ---- import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new NetworkListener(this, 'listener-tls-explicit', { loadBalancer: loadBalancer, protocol: Protocol.TLS, port: 8080, certificates: [certificate] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]: [source,javascript] ---- import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; new CfnListener(this, 'listener-https', { defaultActions: defaultActions, loadBalancerArn: loadBalancerArn, protocol: "HTTPS", port: 80 certificates: [certificate] }); new CfnListener(this, 'listener-tls', { defaultActions: defaultActions, loadBalancerArn: loadBalancerArn, protocol: "TLS", port: 80 certificates: [certificate] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]: [source, javascript] ---- import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing'; new CfnLoadBalancer(this, 'elb-ssl', { listeners: [{ instancePort: '1000', loadBalancerPort: '1000', protocol: 'ssl', sslCertificateId: sslCertificateId }] }); new CfnLoadBalancer(this, 'elb-https', { listeners: [{ instancePort: '1000', loadBalancerPort: '1000', protocol: 'https', sslCertificateId: sslCertificateId }] }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]: [source,javascript] ---- import { LoadBalancer, LoadBalancingProtocol } from 'aws-cdk-lib/aws-elasticloadbalancing'; const lb = new LoadBalancer(this, 'elb-ssl', { vpc, internetFacing: true, healthCheck: { port: 80, }, listeners: [ { externalPort:10000, externalProtocol:LoadBalancingProtocol.SSL, internalPort:10000 }] }); lb.addListener({ externalPort:10001, externalProtocol:LoadBalancingProtocol.SSL, internalPort:10001 }); lb.addListener({ externalPort:10002, externalProtocol:LoadBalancingProtocol.HTTPS, internalPort:10002 }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]: [source, javascript] ---- import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache'; new CfnReplicationGroup(this, 'encrypted-explicit', { replicationGroupDescription: 'example', transitEncryptionEnabled: true }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]: [source, javascript] ---- import { Stream } from 'aws-cdk-lib/aws-kinesis'; new Stream(this, 'stream-implicit-encrypted'); new Stream(this, 'stream-explicit-encrypted-selfmanaged', { encryption: StreamEncryption.KMS, encryptionKey: encryptionKey, }); new Stream(this, 'stream-explicit-encrypted-managed', { encryption: StreamEncryption.MANAGED }); ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]: [source, javascript] ---- import { CfnStream } from 'aws-cdk-lib/aws-kinesis'; new CfnStream(this, 'cfnstream-explicit-encrypted', { streamEncryption: { encryptionType: encryptionType, keyId: encryptionKey.keyId, } }); ---- include::../exceptions.adoc[] include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead. * Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS. For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener` and `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`: * Make sure that using network protocols without an SSL/TLS underlay is safe here. For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`: * Make sure that disabling transit encryption is safe here. For `aws-cdk-lib.aws-kinesis.CfnStream` and `aws-cdk-lib.aws-kinesis.Stream`: * Make sure that disabling stream encryption is safe here. === Highlighting For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`: * Highlight the `protocol` parameter of the `addListener` call when it is set to elbv2.ApplicationProtocol.HTTP * Highlight the `addListener` call when the `protocol` parameter is not set and the port parameter is 80, 8000, 8080 or 8008 For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener` * Highlight the `protocol` property of the object constructor when it is set to elbv2.ApplicationProtocol.HTTP * Highlight the object constructor call when the `protocol` parameter is not set and the port parameter is 80, 8000, 8080 or 8008 For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer` * Highlight the `protocol` parameter of the `addListener` call when it is set to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or elbv2.Protocol.TCP_UDP * Highlight the `addListener` call when the `protocol` parameter is not set and the `certificates` parameter is not set or is an empty `Sequence`. For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener` * Highlight the `protocol` property of the object constructor call when it is set to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or elbv2.Protocol.TCP_UDP * Highlight the constructor call when the `protocol` parameter is not set and the `certificates` parameter is not set or is an empty `Sequence`. For `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`: * Highlight the `protocol` property of the object constructor when set to HTTP, TCP, UDP, or TCP_UDP. For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`: * Highlight the `externalProtocol` dict entry in the `listeners` property of the object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`. * Highlight the `externalProtocol` parameter of the call to `add_listener` when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`. For `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`: * When the `listeners` property of the object constructor is a `Sequence` that contains a `dict` with a "protocol" entry set to "tcp" or "http", highligth the "protocol" entry. * When the `listeners` property of the object constructor is a `Sequence` that contains an `elb.CfnLoadBalancer.ListenersProperty` with a `protocol` property set to "tcp" or "http", highlight the protocol property. For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`: * Highlight the `externalProtocol` property of the object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`. For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`: * Highlight the `transitEncryptionEnabled` property of the object constructor if it is present and set to False. * Highlight the constructor call if the `transitEncryptionEnabled` attribute is not set. For `aws-cdk-lib.aws-kinesis.CfnStream`: * Highlight the object constructor when the `streamEncryption` property is not set. * Highlight the `streamEncryption` property of the object constructor when set to `undefined`. For `aws-cdk-lib.aws-kinesis.Stream`: * Highlight the `encryption` property of the object constructor when it is set to aws-kinesis.StreamEncryption.UNENCRYPTED endif::env-github,rspecator-view[]