ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6281/javascript/rule.adoc
pedro-oliveira-sonarsource 917f68ce82
Create rule S6281: Add JS as covered language (APPSEC-43) (#1089)
2022-07-08 11:17:51 +02:00

93 lines
2.1 KiB
Plaintext
Raw Blame History

include::description.adoc[]
include::../ask-yourself.adoc[]
include::recommended.adoc[]
== Sensitive Code Example
By default, when not set, the `blockPublicAccess` is fully deactivated (nothing is blocked):
[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'id', {
bucketName: 'bucket'
}); // Sensitive
----
This `block_public_access` allows public ACL to be set:
[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'id', {
bucketName: 'bucket',
blockPublicAccess: new s3.BlockPublicAccess({
blockPublicAcls : false, // Sensitive
blockPublicPolicy : true,
ignorePublicAcls : true,
restrictPublicBuckets : true
})
});
----
The attribute `BLOCK_ACLS` only blocks and ignores public ACLs:
[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'id', {
bucketName: 'bucket',
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ACLS // Sensitive
});
----
== Compliant Solution
This `blockPublicAccess` blocks public ACLs and policies, ignores existing public ACLs and restricts existing public policies:
[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'id', {
bucketName: 'bucket',
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL
});
----
A similar configuration to the one above can be obtained by setting all parameters of the `blockPublicAccess`
[source,javascript]
----
const s3 = require('aws-cdk-lib/aws-s3');
new s3.Bucket(this, 'id', {
bucketName: 'bucket',
blockPublicAccess: new s3.BlockPublicAccess({
blockPublicAcls : true,
blockPublicPolicy : true,
ignorePublicAcls : true,
restrictPublicBuckets : true
})
});
----
include::../see.adoc[]
* https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BlockPublicAccess.html[AWS CDK version 2] - BlockPublicAccess
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlighting.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink