ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5332/javascript/rule.adoc
Fred Tingaud 51369b610e
Make sure that includes are always surrounded by empty lines (#2270) 
When an include is not surrounded by empty lines, its content is inlined
on the same line as the adjacent content. That can lead to broken tags
and other display issues.
This PR fixes all such includes and introduces a validation step that
forbids introducing the same problem again.
2023-06-22 10:38:01 +02:00

572 lines
16 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
[source,javascript]
----
url = "http://example.com"; // Sensitive
url = "ftp://anonymous@example.com"; // Sensitive
url = "telnet://anonymous@example.com"; // Sensitive
----
For https://nodemailer.com[nodemailer]:
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
secure: false, // Sensitive
requireTLS: false // Sensitive
});
----
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({}); // Sensitive
----
For https://github.com/mscdex/node-ftp[ftp]:
[source,javascript]
----
var Client = require('ftp');
var c = new Client();
c.connect({
'secure': false // Sensitive
});
----
For https://github.com/mkozjak/node-telnet-client[telnet-client]:
[source,javascript]
----
const Telnet = require('telnet-client'); // Sensitive
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,javascript]
----
import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const alb = new ApplicationLoadBalancer(this, 'ALB', {
vpc: vpc,
internetFacing: true
});
alb.addListener('listener-http-default', {
port: 8080,
open: true
}); // Sensitive
alb.addListener('listener-http-explicit', {
protocol: ApplicationProtocol.HTTP, // Sensitive
port: 8080,
open: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]:
[source,javascript]
----
import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new ApplicationListener(this, 'listener-http-explicit-constructor', {
loadBalancer: alb,
protocol: ApplicationProtocol.HTTP, // Sensitive
port: 8080,
open: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]:
[source,javascript]
----
import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const nlb = new NetworkLoadBalancer(this, 'nlb', {
vpc: vpc,
internetFacing: true
});
var listenerNLB = nlb.addListener('listener-tcp-default', {
port: 1234
}); // Sensitive
listenerNLB = nlb.addListener('listener-tcp-explicit', {
protocol: Protocol.TCP, // Sensitive
port: 1234
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]:
[source,javascript]
----
import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new NetworkListener(this, 'listener-tcp-explicit-constructor', {
loadBalancer: nlb,
protocol: Protocol.TCP, // Sensitive
port: 8080
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]:
[source,javascript]
----
import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new CfnListener(this, 'listener-http', {
defaultActions: defaultActions,
loadBalancerArn: alb.loadBalancerArn,
protocol: "HTTP", // Sensitive
port: 80
});
new CfnListener(this, 'listener-tcp', {
defaultActions: defaultActions,
loadBalancerArn: alb.loadBalancerArn,
protocol: "TCP", // Sensitive
port: 80
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]:
[source, javascript]
----
import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
new CfnLoadBalancer(this, 'elb-tcp', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'tcp' // Sensitive
}]
});
new CfnLoadBalancer(this, 'elb-http', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'http' // Sensitive
}]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]:
[source,javascript]
----
import { LoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
const loadBalancer = new LoadBalancer(this, 'elb-tcp-dict', {
vpc,
internetFacing: true,
healthCheck: {
port: 80,
},
listeners: [
{
externalPort:10000,
externalProtocol: LoadBalancingProtocol.TCP, // Sensitive
internalPort:10000
}]
});
loadBalancer.addListener({
externalPort:10001,
externalProtocol:LoadBalancingProtocol.TCP, // Sensitive
internalPort:10001
});
loadBalancer.addListener({
externalPort:10002,
externalProtocol:LoadBalancingProtocol.HTTP, // Sensitive
internalPort:10002
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]:
[source, javascript]
----
import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';
new CfnReplicationGroup(this, 'unencrypted-implicit', {
replicationGroupDescription: 'exampleDescription'
}); // Sensitive
new CfnReplicationGroup(this, 'unencrypted-explicit', {
replicationGroupDescription: 'exampleDescription',
transitEncryptionEnabled: false // Sensitive
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]:
[source, javascript]
----
import { CfnStream } from 'aws-cdk-lib/aws-kinesis';
new CfnStream(this, 'cfnstream-implicit-unencrytped', undefined); // Sensitive
new CfnStream(this, 'cfnstream-explicit-unencrytped', {
streamEncryption: undefined // Sensitive
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]:
[source, javascript]
----
import { Stream } from 'aws-cdk-lib/aws-kinesis';
new Stream(this, 'stream-explicit-unencrypted', {
encryption: StreamEncryption.UNENCRYPTED // Sensitive
});
----
== Compliant Solution
[source,javascript]
----
url = "https://example.com";
url = "sftp://anonymous@example.com";
url = "ssh://anonymous@example.com";
----
For https://nodemailer.com[nodemailer] one of the following options must be set:
[source,javascript]
----
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
secure: true,
requireTLS: true,
port: 465,
secured: true
});
----
For https://github.com/mscdex/node-ftp[ftp]:
[source,javascript]
----
var Client = require('ftp');
var c = new Client();
c.connect({
'secure': true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,javascript]
----
import { ApplicationLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const alb = new ApplicationLoadBalancer(this, 'ALB', {
vpc: vpc,
internetFacing: true
});
alb.addListener('listener-https-explicit', {
protocol: ApplicationProtocol.HTTPS,
port: 8080,
open: true,
certificates: [certificate]
});
alb.addListener('listener-https-implicit', {
port: 8080,
open: true,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener]:
[source,javascript]
----
import { ApplicationListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new ApplicationListener(this, 'listener-https-explicit', {
loadBalancer: loadBalancer,
protocol: ApplicationProtocol.HTTPS,
port: 8080,
open: true,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer]:
[source,javascript]
----
import { NetworkLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
const nlb = new NetworkLoadBalancer(this, 'nlb', {
vpc: vpc,
internetFacing: true
});
nlb.addListener('listener-tls-explicit', {
protocol: Protocol.TLS,
port: 1234,
certificates: [certificate]
});
nlb.addListener('listener-tls-implicit', {
port: 1234,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener]:
[source,javascript]
----
import { NetworkListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new NetworkListener(this, 'listener-tls-explicit', {
loadBalancer: loadBalancer,
protocol: Protocol.TLS,
port: 8080,
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.html[aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener]:
[source,javascript]
----
import { CfnListener } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
new CfnListener(this, 'listener-https', {
defaultActions: defaultActions,
loadBalancerArn: loadBalancerArn,
protocol: "HTTPS",
port: 80
certificates: [certificate]
});
new CfnListener(this, 'listener-tls', {
defaultActions: defaultActions,
loadBalancerArn: loadBalancerArn,
protocol: "TLS",
port: 80
certificates: [certificate]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.CfnLoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer]:
[source, javascript]
----
import { CfnLoadBalancer } from 'aws-cdk-lib/aws-elasticloadbalancing';
new CfnLoadBalancer(this, 'elb-ssl', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'ssl',
sslCertificateId: sslCertificateId
}]
});
new CfnLoadBalancer(this, 'elb-https', {
listeners: [{
instancePort: '1000',
loadBalancerPort: '1000',
protocol: 'https',
sslCertificateId: sslCertificateId
}]
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticloadbalancing.LoadBalancer.html[aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer]:
[source,javascript]
----
import { LoadBalancer, LoadBalancingProtocol } from 'aws-cdk-lib/aws-elasticloadbalancing';
const lb = new LoadBalancer(this, 'elb-ssl', {
vpc,
internetFacing: true,
healthCheck: {
port: 80,
},
listeners: [
{
externalPort:10000,
externalProtocol:LoadBalancingProtocol.SSL,
internalPort:10000
}]
});
lb.addListener({
externalPort:10001,
externalProtocol:LoadBalancingProtocol.SSL,
internalPort:10001
});
lb.addListener({
externalPort:10002,
externalProtocol:LoadBalancingProtocol.HTTPS,
internalPort:10002
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_elasticache.CfnReplicationGroup.html[aws-cdk-lib.aws-elasticache.CfnReplicationGroup]:
[source, javascript]
----
import { CfnReplicationGroup } from 'aws-cdk-lib/aws-elasticache';
new CfnReplicationGroup(this, 'encrypted-explicit', {
replicationGroupDescription: 'example',
transitEncryptionEnabled: true
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.Stream.html[aws-cdk-lib.aws-kinesis.Stream]:
[source, javascript]
----
import { Stream } from 'aws-cdk-lib/aws-kinesis';
new Stream(this, 'stream-implicit-encrypted');
new Stream(this, 'stream-explicit-encrypted-selfmanaged', {
encryption: StreamEncryption.KMS,
encryptionKey: encryptionKey,
});
new Stream(this, 'stream-explicit-encrypted-managed', {
encryption: StreamEncryption.MANAGED
});
----
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_kinesis.CfnStream.html[aws-cdk-lib.aws-kinesis.CfnStream]:
[source, javascript]
----
import { CfnStream } from 'aws-cdk-lib/aws-kinesis';
new CfnStream(this, 'cfnstream-explicit-encrypted', {
streamEncryption: {
encryptionType: encryptionType,
keyId: encryptionKey.keyId,
}
});
----
include::../exceptions.adoc[]
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead.
* Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`, `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener` and `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`:
* Make sure that using network protocols without an SSL/TLS underlay is safe here.
For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`:
* Make sure that disabling transit encryption is safe here.
For `aws-cdk-lib.aws-kinesis.CfnStream` and `aws-cdk-lib.aws-kinesis.Stream`:
* Make sure that disabling stream encryption is safe here.
=== Highlighting
For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationLoadBalancer`:
* Highlight the `protocol` parameter of the `addListener` call when it is set
to elbv2.ApplicationProtocol.HTTP
* Highlight the `addListener` call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws-cdk-lib.aws-elasticloadbalancingv2.ApplicationListener`
* Highlight the `protocol` property of the object constructor when it is set to
elbv2.ApplicationProtocol.HTTP
* Highlight the object constructor call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkLoadBalancer`
* Highlight the `protocol` parameter of the `addListener` call when it is set
to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or
elbv2.Protocol.TCP_UDP
* Highlight the `addListener` call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws-cdk-lib.aws-elasticloadbalancingv2.NetworkListener`
* Highlight the `protocol` property of the object constructor call when it is set
to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or
elbv2.Protocol.TCP_UDP
* Highlight the constructor call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws-cdk-lib.aws-elasticloadbalancingv2.CfnListener`:
* Highlight the `protocol` property of the object constructor when set to
HTTP, TCP, UDP, or TCP_UDP.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancer`:
* Highlight the `externalProtocol` dict entry in the `listeners` property of the
object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
* Highlight the `externalProtocol` parameter of the call to `add_listener` when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws-cdk-lib.aws-elasticloadbalancing.CfnLoadBalancer`:
* When the `listeners` property of the object constructor is a `Sequence`
that contains a `dict` with a "protocol" entry set to "tcp" or "http",
highligth the "protocol" entry.
* When the `listeners` property of the object constructor is a `Sequence`
that contains an `elb.CfnLoadBalancer.ListenersProperty` with a `protocol`
property set to "tcp" or "http", highlight the protocol property.
For `aws-cdk-lib.aws-elasticloadbalancing.LoadBalancerListener`:
* Highlight the `externalProtocol` property of the object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws-cdk-lib.aws-elasticache.CfnReplicationGroup`:
* Highlight the `transitEncryptionEnabled` property of the object constructor if it is
present and set to False.
* Highlight the constructor call if the `transitEncryptionEnabled` attribute is not set.
For `aws-cdk-lib.aws-kinesis.CfnStream`:
* Highlight the object constructor when the `streamEncryption` property is not set.
* Highlight the `streamEncryption` property of the object constructor when set to `undefined`.
For `aws-cdk-lib.aws-kinesis.Stream`:
* Highlight the `encryption` property of the object constructor when it is set to aws-kinesis.StreamEncryption.UNENCRYPTED
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink