ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5332/javascript/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

573 lines
16 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
[source,javascript]
----
url = "http://example.com"; // Sensitive
url = "ftp://anonymous@example.com"; // Sensitive
url = "telnet://anonymous@example.com"; // Sensitive
----
For https://nodemailer.com[nodemailer]:
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
secure: false, // Sensitive
requireTLS: false // Sensitive
});
----
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({}); // Sensitive
----
For https://github.com/mscdex/node-ftp[ftp]:
[source,javascript]
----
var Client = require('ftp');
var c = new Client();
c.connect({
'secure': false // Sensitive
});
----
For https://github.com/mkozjak/node-telnet-client[telnet-client]:
[source,javascript]
----
const Telnet = require('telnet-client'); // Sensitive
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,javascript]
----
import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const alb = new ApplicationLoadBalancer(this, 'ALB', {
vpc: vpc,
internetFacing: true
});
alb.addListener('listener-http-default', {
port: 8080,
open: true
}); // Sensitive
alb.addListener('listener-http-explicit', {
protocol: ApplicationProtocol.HTTP, // Sensitive
port: 8080,
open: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]:
[source,javascript]
----
import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new ApplicationListener(this, 'listener-http-explicit-constructor', {
loadBalancer: alb,
protocol: ApplicationProtocol.HTTP, // Sensitive
port: 8080,
open: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]:
[source,javascript]
----
import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const nlb = new NetworkLoadBalancer(this, 'nlb', {
vpc: vpc,
internetFacing: true
});
var listenerNLB = nlb.addListener('listener-tcp-default', {
port: 1234
}); // Sensitive
listenerNLB = nlb.addListener('listener-tcp-explicit', {
protocol: Protocol.TCP, // Sensitive
port: 1234
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]:
[source,javascript]
----
import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new NetworkListener(this, 'listener-tcp-explicit-constructor', {
loadBalancer: nlb,
protocol: Protocol.TCP, // Sensitive
port: 8080
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]:
[source,javascript]
----
import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new CfnListener(this, 'listener-http', {
defaultActions: defaultActions,
loadBalancerArn: alb.loadBalancerArn,
protocol: "HTTP", // Sensitive
port: 80
});
new CfnListener(this, 'listener-tcp', {
defaultActions: defaultActions,
loadBalancerArn: alb.loadBalancerArn,
protocol: "TCP", // Sensitive
port: 80
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]:
[source, javascript]
----
import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
new CfnLoadBalancer(this, 'elb-tcp', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'tcp' // Sensitive
}]
});
new CfnLoadBalancer(this, 'elb-http', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'http' // Sensitive
}]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]:
[source,javascript]
----
import { LoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
const loadBalancer = new LoadBalancer(this, 'elb-tcp-dict', {
vpc,
internetFacing: true,
healthCheck: {
port: 80,
},
listeners: [
{
externalPort:10000,
externalProtocol: LoadBalancingProtocol.TCP, // Sensitive
internalPort:10000
}]
});
loadBalancer.addListener({
externalPort:10001,
externalProtocol:LoadBalancingProtocol.TCP, // Sensitive
internalPort:10001
});
loadBalancer.addListener({
externalPort:10002,
externalProtocol:LoadBalancingProtocol.HTTP, // Sensitive
internalPort:10002
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]:
[source, javascript]
----
import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';
new CfnReplicationGroup(this, 'unencrypted-implicit', {
replicationGroupDescription: 'exampleDescription'
}); // Sensitive
new CfnReplicationGroup(this, 'unencrypted-explicit', {
replicationGroupDescription: 'exampleDescription',
transitEncryptionEnabled: false // Sensitive
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]:
[source, javascript]
----
import { CfnStream } from 'aws-cdk-lib/aws-kinesis';
new CfnStream(this, 'cfnstream-implicit-unencrytped', undefined); // Sensitive
new CfnStream(this, 'cfnstream-explicit-unencrytped', {
streamEncryption: undefined // Sensitive
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]:
[source, javascript]
----
import { Stream } from 'aws-cdk-lib/aws-kinesis';
new Stream(this, 'stream-explicit-unencrypted', {
encryption: StreamEncryption.UNENCRYPTED // Sensitive
});
----
== Compliant Solution
[source,javascript]
----
url = "https://example.com";
url = "sftp://anonymous@example.com";
url = "ssh://anonymous@example.com";
----
For https://nodemailer.com[nodemailer] one of the following options must be set:
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
secure: true,
requireTLS: true,
port: 465,
secured: true
});
----
For https://github.com/mscdex/node-ftp[ftp]:
[source,javascript]
----
var Client = require('ftp');
var c = new Client();
c.connect({
'secure': true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,javascript]
----
import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const alb = new ApplicationLoadBalancer(this, 'ALB', {
vpc: vpc,
internetFacing: true
});
alb.addListener('listener-https-explicit', {
protocol: ApplicationProtocol.HTTPS,
port: 8080,
open: true,
certificates: [certificate]
});
alb.addListener('listener-https-implicit', {
port: 8080,
open: true,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]:
[source,javascript]
----
import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new ApplicationListener(this, 'listener-https-explicit', {
loadBalancer: loadBalancer,
protocol: ApplicationProtocol.HTTPS,
port: 8080,
open: true,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]:
[source,javascript]
----
import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const nlb = new NetworkLoadBalancer(this, 'nlb', {
vpc: vpc,
internetFacing: true
});
nlb.addListener('listener-tls-explicit', {
protocol: Protocol.TLS,
port: 1234,
certificates: [certificate]
});
nlb.addListener('listener-tls-implicit', {
port: 1234,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]:
[source,javascript]
----
import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new NetworkListener(this, 'listener-tls-explicit', {
loadBalancer: loadBalancer,
protocol: Protocol.TLS,
port: 8080,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]:
[source,javascript]
----
import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new CfnListener(this, 'listener-https', {
defaultActions: defaultActions,
loadBalancerArn: loadBalancerArn,
protocol: "HTTPS",
port: 80
certificates: [certificate]
});
new CfnListener(this, 'listener-tls', {
defaultActions: defaultActions,
loadBalancerArn: loadBalancerArn,
protocol: "TLS",
port: 80
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]:
[source, javascript]
----
import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
new CfnLoadBalancer(this, 'elb-ssl', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'ssl',
sslCertificateId: sslCertificateId
}]
});
new CfnLoadBalancer(this, 'elb-https', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'https',
sslCertificateId: sslCertificateId
}]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]:
[source,javascript]
----
import { LoadBalancer, LoadBalancingProtocol } from 'aws-cdk-lib/aws-elasticloadbalancing';
const lb = new LoadBalancer(this, 'elb-ssl', {
vpc,
internetFacing: true,
healthCheck: {
port: 80,
},
listeners: [
{
externalPort:10000,
externalProtocol:LoadBalancingProtocol.SSL,
internalPort:10000
}]
});
lb.addListener({
externalPort:10001,
externalProtocol:LoadBalancingProtocol.SSL,
internalPort:10001
});
lb.addListener({
externalPort:10002,
externalProtocol:LoadBalancingProtocol.HTTPS,
internalPort:10002
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]:
[source, javascript]
----
import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';
new CfnReplicationGroup(this, 'encrypted-explicit', {
replicationGroupDescription: 'example',
transitEncryptionEnabled: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]:
[source, javascript]
----
import { Stream } from 'aws-cdk-lib/aws-kinesis';
new Stream(this, 'stream-implicit-encrypted');
new Stream(this, 'stream-explicit-encrypted-selfmanaged', {
encryption: StreamEncryption.KMS,
encryptionKey: encryptionKey,
});
new Stream(this, 'stream-explicit-encrypted-managed', {
encryption: StreamEncryption.MANAGED
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]:
[source, javascript]
----
import { CfnStream } from 'aws-cdk-lib/aws-kinesis';
new CfnStream(this, 'cfnstream-explicit-encrypted', {
streamEncryption: {
encryptionType: encryptionType,
keyId: encryptionKey.keyId,
}
});
----
include::../exceptions.adoc[]
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead.
* Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener` and `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`:
* Make sure that using network protocols without an SSL/TLS underlay is safe here.
For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`:
* Make sure that disabling transit encryption is safe here.
For `aws-cdk-lib.aws-kinesis.CfnStream` and `aws-cdk-lib.aws-kinesis.Stream`:
* Make sure that disabling stream encryption is safe here.
=== Highlighting
For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`:
* Highlight the `protocol` parameter of the `addListener` call when it is set
to elbv2.ApplicationProtocol.HTTP
* Highlight the `addListener` call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`
* Highlight the `protocol` property of the object constructor when it is set to
elbv2.ApplicationProtocol.HTTP
* Highlight the object constructor call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer`
* Highlight the `protocol` parameter of the `addListener` call when it is set
to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or
elbv2.Protocol.TCP_UDP
* Highlight the `addListener` call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener`
* Highlight the `protocol` property of the object constructor call when it is set
to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or
elbv2.Protocol.TCP_UDP
* Highlight the constructor call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`:
* Highlight the `protocol` property of the object constructor when set to
HTTP, TCP, UDP, or TCP_UDP.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`:
* Highlight the `externalProtocol` dict entry in the `listeners` property of the
object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
* Highlight the `externalProtocol` parameter of the call to `add_listener` when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`:
* When the `listeners` property of the object constructor is a `Sequence`
that contains a `dict` with a "protocol" entry set to "tcp" or "http",
highligth the "protocol" entry.
* When the `listeners` property of the object constructor is a `Sequence`
that contains an `elb.CfnLoadBalancer.ListenersProperty` with a `protocol`
property set to "tcp" or "http", highlight the protocol property.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`:
* Highlight the `externalProtocol` property of the object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`:
* Highlight the `transitEncryptionEnabled` property of the object constructor if it is
present and set to False.
* Highlight the constructor call if the `transitEncryptionEnabled` attribute is not set.
For `aws-cdk-lib.aws-kinesis.CfnStream`:
* Highlight the object constructor when the `streamEncryption` property is not set.
* Highlight the `streamEncryption` property of the object constructor when set to `undefined`.
For `aws-cdk-lib.aws-kinesis.Stream`:
* Highlight the `encryption` property of the object constructor when it is set to aws-kinesis.StreamEncryption.UNENCRYPTED
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink