4261aba65f
* Create rule S7003 * Add first draft * Apply suggestions from code review Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Apply suggestions from code review * Update rules/S7003/secrets/rule.adoc * Update rules/S7003/secrets/rule.adoc * Update rules/S7003/secrets/rule.adoc Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com>
71 lines
3.0 KiB
Plaintext
71 lines
3.0 KiB
Plaintext
|
|
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
As described in the
|
|
https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#authorization-keys[Azure Functions documentation],
|
|
Azure Functions let you use keys to make it harder to access your HTTP function endpoints *during development*.
|
|
|
|
While keys provide a default security mechanism, distributing them in public
|
|
apps is a bad practice and can lead to security and maintainability issues.
|
|
|
|
=== What is the potential impact?
|
|
|
|
The impact of this access depends on what the Azure Function does and what
|
|
permissions the key has.
|
|
|
|
There are three types of keys that can be used to authenticate requests to an
|
|
Azure Function:
|
|
|
|
* **Function key**: Provides access to a specific function.
|
|
* **Host key**: Provides access to all functions within a function app.
|
|
* **System key**: Provides access to all functions within a function app and allows for administrative actions.
|
|
|
|
Leaking these keys can result in unintended access to the functions and data they control.
|
|
|
|
Below are some real-world scenarios that illustrate some impacts of an attacker
|
|
exploiting the key.
|
|
|
|
:secret_type: authentication key
|
|
|
|
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
|
|
|
|
include::../../../shared_content/secrets/impact/data_modification.adoc[]
|
|
|
|
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
|
|
|
|
== How to fix it
|
|
|
|
=== Use app-level security
|
|
|
|
As described in the https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger?tabs=python-v2%2Cisolated-process%2Cnodejs-v4%2Cfunctionsv2&pivots=programming-language-csharp#secure-an-http-endpoint-in-production[Azure Functions documentation],
|
|
you can secure your HTTP function endpoints by using app-level security, and
|
|
remove the need to use hardcoded keys.
|
|
|
|
The first step is thus to set the HTTP-triggered function authorization level to
|
|
`anonymous`.
|
|
|
|
Then, examples of app-level security include:
|
|
|
|
* authentication/authorization, either from the framework of your choice or https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization#why-use-the-built-in-authentication[Built-in Azure App Service Authentication/Authorization]
|
|
* Azure https://learn.microsoft.com/en-us/azure/api-management/api-management-policies#authentication-policies[API Management Authentication Policies]
|
|
* request authentication with the https://learn.microsoft.com/en-us/azure/app-service/environment/integrate-with-application-gateway[Azure App Service Environment]
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,bash]
|
|
----
|
|
curl -G \
|
|
'https://example.azurewebsites.net/api/example' \
|
|
-d code=2PLqsO9INfpK8sgTS2BCsZXS6Dgzgz3bydKcq5TBcY8WAzFuqGlKRw==' # Noncompliant
|
|
----
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
//=== Benchmarks
|