rspec/rules/S6321/javascript/rule.adoc

== Why is this an issue?

include::../rationale.adoc[]

include::../impact.adoc[]

== How to fix it

include::../common/how-to-fix-it/intro.adoc[]

=== Code examples

==== Noncompliant code example

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute:

[source,javascript,diff-id=1,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const instance = new ec2.Instance(this, "default-own-security-group",{
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    instanceName: "test-instance"
})

instance.connections.allowFrom(
    ec2.Peer.anyIpv4(), // Noncompliant
    ec2.Port.tcp(22),
    /*description*/ "Allows SSH from all IPv4"
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup]

[source,javascript,diff-id=2,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", {
    vpc: vpc
})

securityGroup.addIngressRule(
    ec2.Peer.anyIpv4(), // Noncompliant
    ec2.Port.tcpRange(1, 1024)
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup]

[source,javascript,diff-id=3,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnSecurityGroup(
    this,
    "cfn-based-security-group", {
        groupDescription: "cfn based security group",
        groupName: "cfn-based-security-group",
        vpcId: vpc.vpcId,
        securityGroupIngress: [
            {
                ipProtocol: "6",
                cidrIp: "0.0.0.0/0", // Noncompliant
                fromPort: 22,
                toPort: 22
            }
        ]
    }
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress]

[source,javascript,diff-id=4,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnSecurityGroupIngress( // Noncompliant
    this,
    "ingress-all-ip-tcp-ssh", {
        ipProtocol: "tcp",
        cidrIp: "0.0.0.0/0",
        fromPort: 22,
        toPort: 22,
        groupId: securityGroup.attrGroupId
})
----

==== Compliant solution

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute:

[source,javascript,diff-id=1,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const instance = new ec2.Instance(this, "default-own-security-group",{
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    instanceName: "test-instance"
})

instance.connections.allowFrom(
    ec2.Peer.ipv4("192.0.2.0/24"),
    ec2.Port.tcp(22),
    /*description*/ "Allows SSH from a trusted range"
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup]

[source,javascript,diff-id=2,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", {
    vpc: vpc
})

securityGroup3.addIngressRule(
    ec2.Peer.anyIpv4(),
    ec2.Port.tcpRange(1024, 1048)
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup]

[source,javascript,diff-id=3,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnSecurityGroup(
    this,
    "cfn-based-security-group", {
        groupDescription: "cfn based security group",
        groupName: "cfn-based-security-group",
        vpcId: vpc.vpcId,
        securityGroupIngress: [
            {
                ipProtocol: "6",
                cidrIp: "192.0.2.0/24",
                fromPort: 22,
                toPort: 22
            }
        ]
    }
)
----

For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress]

[source,javascript,diff-id=4,diff-type=compliant]
----

new ec2.CfnSecurityGroupIngress(
    this,
    "ingress-all-ipv4-tcp-http", {
        ipProtocol: "6",
        cidrIp: "0.0.0.0/0",
        fromPort: 80,
        toPort: 80,
        groupId: securityGroup.attrGroupId
    }
)
----


== Resources

include::../common/resources/docs.adoc[]

include::../common/resources/articles.adoc[]

include::../common/resources/presentations.adoc[]

include::../common/resources/standards.adoc[]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

== Message
When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified:
* Change this method for `allowFrom` and set `other` to a subset of trusted IP addresses

In any other case, when a dangerous peer definition is identified:
* Change this IP range to a subset of trusted IP addresses.


== Highlighting

When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified:
* Highlight the method name

In any other case, when a dangerous peer definition is identified:
* Highlight the peer definition attribute, e.g. `cidrIp` for `IngressProperty`, `peer` parameter for `addIngressRule` calls, `other` for `allowFrom` calls, etc.


'''

endif::env-github,rspecator-view[]