ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6321/javascript/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

207 lines
5.4 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
== How to fix it
include::../common/how-to-fix-it/intro.adoc[]
=== Code examples
==== Noncompliant code example
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute:
[source,javascript,diff-id=1,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcp(22),
/*description*/ "Allows SSH from all IPv4"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup]
[source,javascript,diff-id=2,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup.addIngressRule(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcpRange(1, 1024)
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup]
[source,javascript,diff-id=3,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "0.0.0.0/0", // Noncompliant
fromPort: 22,
toPort: 22
}
]
}
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress]
[source,javascript,diff-id=4,diff-type=noncompliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroupIngress( // Noncompliant
this,
"ingress-all-ip-tcp-ssh", {
ipProtocol: "tcp",
cidrIp: "0.0.0.0/0",
fromPort: 22,
toPort: 22,
groupId: securityGroup.attrGroupId
})
----
==== Compliant solution
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute:
[source,javascript,diff-id=1,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.ipv4("192.0.2.0/24"),
ec2.Port.tcp(22),
/*description*/ "Allows SSH from a trusted range"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup]
[source,javascript,diff-id=2,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup3.addIngressRule(
ec2.Peer.anyIpv4(),
ec2.Port.tcpRange(1024, 1048)
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup]
[source,javascript,diff-id=3,diff-type=compliant]
----
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "192.0.2.0/24",
fromPort: 22,
toPort: 22
}
]
}
)
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress]
[source,javascript,diff-id=4,diff-type=compliant]
----
new ec2.CfnSecurityGroupIngress(
this,
"ingress-all-ipv4-tcp-http", {
ipProtocol: "6",
cidrIp: "0.0.0.0/0",
fromPort: 80,
toPort: 80,
groupId: securityGroup.attrGroupId
}
)
----
== Resources
include::../common/resources/docs.adoc[]
include::../common/resources/articles.adoc[]
include::../common/resources/presentations.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
== Message
When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified:
* Change this method for `allowFrom` and set `other` to a subset of trusted IP addresses
In any other case, when a dangerous peer definition is identified:
* Change this IP range to a subset of trusted IP addresses.
== Highlighting
When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified:
* Highlight the method name
In any other case, when a dangerous peer definition is identified:
* Highlight the peer definition attribute, e.g. `cidrIp` for `IngressProperty`, `peer` parameter for `addIngressRule` calls, `other` for `allowFrom` calls, etc.
'''
Reference in New Issue View Git Blame Copy Permalink