ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5332/python/rule.adoc
Jamie Anderson 9ee16daa47
Modify rules: Add STIG AS&D 2023-06-08 mappings (#3914) 
* Update JSON schema to include STIG ASD 2023-06-08 mapping

* Update rules to add STIG metadata mappings

---------

Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
2024-05-06 08:56:31 +02:00

738 lines
19 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
[source,python]
----
url = "http://example.com" # Sensitive
url = "ftp://anonymous@example.com" # Sensitive
url = "telnet://anonymous@example.com" # Sensitive
import telnetlib
cnx = telnetlib.Telnet("towel.blinkenlights.nl") # Sensitive
import ftplib
cnx = ftplib.FTP("ftp.example.com") # Sensitive
import smtplib
smtp = smtplib.SMTP("smtp.example.com", port=587) # Sensitive
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/ApplicationLoadBalancer.html[aws_cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
lb = elbv2.ApplicationLoadBalancer(
self,
"LB",
vpc=vpc,
internet_facing=True
)
lb.add_listener(
"Listener-default",
port=80, # Sensitive
open=True
)
lb.add_listener(
"Listener-http-explicit",
protocol=elbv2.ApplicationProtocol.HTTP, # Sensitive
port=8080,
open=True
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/ApplicationListener.html[aws_cdk.aws_elasticloadbalancingv2.ApplicationListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.ApplicationListener(
self,
"listener-http-explicit-const",
load_balancer=lb,
protocol=elbv2.ApplicationProtocol.HTTP, # Sensitive
port=8081,
open=True
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/NetworkLoadBalancer.html[aws_cdk.aws_elasticloadbalancingv2.NetworkLoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
lb = elbv2.NetworkLoadBalancer(
self,
"LB",
vpc=vpc,
internet_facing=True
)
lb.add_listener( # Sensitive
"Listener-default",
port=1234
)
lb.add_listener(
"Listener-TCP-explicit",
protocol=elbv2.Protocol.TCP, # Sensitive
port=1337
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/NetworkListener.html[aws_cdk.aws_elasticloadbalancingv2.NetworkListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.NetworkListener(
self,
"Listener-TCP-explicit",
protocol=elbv2.Protocol.TCP, # Sensitive
port=1338,
load_balancer=lb
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/CfnListener.html[aws_cdk.aws_elasticloadbalancingv2.CfnListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.CfnListener(
self,
"listener-http",
default_actions=[application_default_action],
load_balancer_arn=lb.load_balancer_arn,
protocol="HTTP", # Sensitive
port=80
)
elbv2.CfnListener(
self,
"listener-tcp",
default_actions=[network_default_action],
load_balancer_arn=lb.load_balancer_arn,
protocol="TCP", # Sensitive
port=1000
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/LoadBalancerListener.html[aws_cdk.aws_elasticloadbalancing.LoadBalancerListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb,
)
elb.LoadBalancerListener(
external_port=10000,
external_protocol=elb.LoadBalancingProtocol.TCP, # Sensitive
internal_port=10000
)
elb.LoadBalancerListener(
external_port=10080,
external_protocol=elb.LoadBalancingProtocol.HTTP, # Sensitive
internal_port=10080
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/CfnLoadBalancer.html[aws_cdk.aws_elasticloadbalancing.CfnLoadBalancer]:
[source, python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb
)
elb.CfnLoadBalancer(
self,
"elb-tcp",
listeners=[
elb.CfnLoadBalancer.ListenersProperty(
instance_port="10000",
load_balancer_port="10000",
protocol="tcp" # Sensitive
)
],
subnets=vpc.select_subnets().subnet_ids
)
elb.CfnLoadBalancer(
self,
"elb-http-dict",
listeners=[
{
"instancePort":"10000",
"loadBalancerPort":"10000",
"protocol":"http" # Sensitive
}
],
subnets=vpc.select_subnets().subnet_ids
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/LoadBalancer.html[aws_cdk.aws_elasticloadbalancing.LoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb,
)
elb.LoadBalancer(
self,
"elb-tcp-dict",
vpc=vpc,
listeners=[
{
"externalPort":10000,
"externalProtocol":elb.LoadBalancingProtocol.TCP, # Sensitive
"internalPort":10000
}
]
)
loadBalancer.add_listener(
external_port=10081,
external_protocol=elb.LoadBalancingProtocol.HTTP, # Sensitive
internal_port=10081
)
loadBalancer.add_listener(
external_port=10001,
external_protocol=elb.LoadBalancingProtocol.TCP, # Sensitive
internal_port=10001
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticache/CfnReplicationGroup.html[aws_cdk.aws_elasticache.CfnReplicationGroup]:
[source,python]
----
from aws_cdk import (
aws_elasticache as elasticache
)
elasticache.CfnReplicationGroup(
self,
"unencrypted-explicit",
replication_group_description="a replication group",
automatic_failover_enabled=False,
transit_encryption_enabled=False, # Sensitive
cache_subnet_group_name="test",
engine="redis",
engine_version="3.2.6",
num_cache_clusters=1,
cache_node_type="cache.t2.micro"
)
elasticache.CfnReplicationGroup( # Sensitive, encryption is disabled by default
self,
"unencrypted-implicit",
replication_group_description="a test replication group",
automatic_failover_enabled=False,
cache_subnet_group_name="test",
engine="redis",
engine_version="3.2.6",
num_cache_clusters=1,
cache_node_type="cache.t2.micro"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kinesis/CfnStream.html[aws_cdk.aws_kinesis.CfnStream]:
[source,python]
----
from aws_cdk import (
aws_kinesis as kinesis,
)
kinesis.CfnStream( # Sensitive, encryption is disabled by default for CfnStreams
self,
"cfnstream-implicit-unencrytped",
shard_count=1
)
kinesis.CfnStream(self,
"cfnstream-explicit-unencrytped",
shard_count=1,
stream_encryption=None # Sensitive
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kinesis/Stream.html[aws_cdk.aws_kinesis.Stream]:
[source,python]
----
from aws_cdk import (
aws_kinesis as kinesis,
)
stream = kinesis.Stream(self,
"stream-explicit-unencrypted",
shard_count=1,
encryption=kinesis.StreamEncryption.UNENCRYPTED # Sensitive
)
----
== Compliant Solution
[source,python]
----
url = "https://example.com"
url = "sftp://anonymous@example.com"
url = "ssh://anonymous@example.com"
import ftplib
cnx = ftplib.FTP_TLS("ftp.example.com")
import smtplib
smtp = smtplib.SMTP("smtp.example.com", port=587)
smtp.starttls(context=context)
smtp_ssl = smtplib.SMTP_SSL("smtp.gmail.com", port=465)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/ApplicationLoadBalancer.html[aws_cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
lb = elbv2.ApplicationLoadBalancer(
self,
"LB",
vpc=vpc,
internet_facing=True
)
lb.add_listener(
"Listener-https-explicit",
protocol=elbv2.ApplicationProtocol.HTTPS,
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=443,
open=True
)
lb.add_listener(
"Listener-https-implicit",
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=8443,
open=True
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/ApplicationListener.html[ aws_cdk.aws_elasticloadbalancingv2.ApplicationListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.ApplicationListener(
self,
"listener-https-explicit-const",
load_balancer=lb,
protocol=elbv2.ApplicationProtocol.HTTPS,
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=444,
open=True
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/NetworkLoadBalancer.html[aws_cdk.aws_elasticloadbalancingv2.NetworkLoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
lb = elbv2.NetworkLoadBalancer(
self,
"LB",
vpc=vpc,
internet_facing=True
)
lb.add_listener(
"Listener-TLS-explicit",
protocol=elbv2.Protocol.TLS,
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=443
)
lb.add_listener(
"Listener-TLS-implicit",
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=1024
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/NetworkListener.html[aws_cdk.aws_elasticloadbalancingv2.NetworkListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.NetworkListener(
self,
"Listener-TLS-explicit",
protocol=elbv2.Protocol.TLS,
certificates=[elbv2.ListenerCertificate("certificateARN")],
port=443,
load_balancer=lb
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancingv2/CfnListener.html[aws_cdk.aws_elasticloadbalancingv2.CfnListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancingv2 as elbv2,
)
elbv2.CfnListener(
self,
"listener-https",
default_actions=[application_default_action],
load_balancer_arn=lb.load_balancer_arn,
protocol="HTTPS",
port=443,
certificates=[elbv2.CfnListener.CertificateProperty(
certificate_arn="certificateARN"
)]
)
elbv2.CfnListener(
self,
"listener-tls",
default_actions=[network_default_action],
load_balancer_arn=lb.load_balancer_arn,
protocol="TLS",
port=1001,
certificates=[elbv2.CfnListener.CertificateProperty(
certificate_arn="certificateARN"
)]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/LoadBalancerListener.html[aws_cdk.aws_elasticloadbalancing.LoadBalancerListener]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb,
)
elb.LoadBalancerListener(
external_port=10043,
external_protocol=elb.LoadBalancingProtocol.SSL,
internal_port=10043,
ssl_certificate_arn="certificateARN"
)
elb.LoadBalancerListener(
external_port=10443,
external_protocol=elb.LoadBalancingProtocol.HTTPS,
internal_port=10443,
ssl_certificate_arn="certificateARN"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/CfnLoadBalancer.html[aws_cdk.aws_elasticloadbalancing.CfnLoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb,
)
elb.CfnLoadBalancer(
self,
"elb-ssl",
listeners=[
elb.CfnLoadBalancer.ListenersProperty(
instance_port="10043",
load_balancer_port="10043",
protocol="ssl",
ssl_certificate_id=CERTIFICATE_ARN
)
],
subnets=vpc.select_subnets().subnet_ids
)
elb.CfnLoadBalancer(
self,
"elb-https-dict",
listeners=[
{
"instancePort":"10443",
"loadBalancerPort":"10443",
"protocol":"https",
"sslCertificateId":CERTIFICATE_ARN
}
],
subnets=vpc.select_subnets().subnet_ids
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticloadbalancing/LoadBalancer.html[aws_cdk.aws_elasticloadbalancing.LoadBalancer]:
[source,python]
----
from aws_cdk import (
aws_elasticloadbalancing as elb,
)
elb.LoadBalancer(
self,
"elb-ssl",
vpc=vpc,
listeners=[
{
"externalPort":10044,
"externalProtocol":elb.LoadBalancingProtocol.SSL,
"internalPort":10044,
"sslCertificateArn":"certificateARN"
},
{
"externalPort":10444,
"externalProtocol":elb.LoadBalancingProtocol.HTTPS,
"internalPort":10444,
"sslCertificateArn":"certificateARN"
}
]
)
loadBalancer = elb.LoadBalancer(
self,
"elb-multi-listener",
vpc=vpc
)
loadBalancer.add_listener(
external_port=10045,
external_protocol=elb.LoadBalancingProtocol.SSL,
internal_port=10045,
ssl_certificate_arn="certificateARN"
)
loadBalancer.add_listener(
external_port=10445,
external_protocol=elb.LoadBalancingProtocol.HTTPS,
internal_port=10445,
ssl_certificate_arn="certificateARN"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_elasticache/CfnReplicationGroup.html[aws_cdk.aws_elasticache.CfnReplicationGroup]:
[source,python]
----
from aws_cdk import (
aws_elasticache as elasticache
)
elasticache.CfnReplicationGroup(
self,
"encrypted-explicit",
replication_group_description="a test replication group",
automatic_failover_enabled=False,
transit_encryption_enabled=True,
cache_subnet_group_name="test",
engine="redis",
engine_version="3.2.6",
num_cache_clusters=1,
cache_node_type="cache.t2.micro"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kinesis/CfnStream.html[aws_cdk.aws_kinesis.CfnStream]:
[source,python]
----
from aws_cdk import (
aws_kinesis as kinesis,
)
kinesis.CfnStream(
self,
"cfnstream-explicit-encrytped",
shard_count=1,
stream_encryption=kinesis.CfnStream.StreamEncryptionProperty(
encryption_type="KMS",
key_id="alias/aws/kinesis"
)
)
stream = kinesis.CfnStream(
self,
"cfnstream-explicit-encrytped-dict",
shard_count=1,
stream_encryption={
"encryptionType": "KMS",
"keyId": "alias/aws/kinesis"
}
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_kinesis/Stream.html[aws_cdk.aws_kinesis.Stream]:
[source,python]
----
from aws_cdk import (
aws_kinesis as kinesis,
aws_kms as kms
)
stream = kinesis.Stream( # Encryption is enabled by default for Streams
self,
"stream-implicit-encrypted",
shard_count=1
)
stream = kinesis.Stream(
self,
"stream-explicit-encrypted-managed",
shard_count=1,
encryption=kinesis.StreamEncryption.MANAGED
)
key = kms.Key(self, "managed_key")
stream = kinesis.Stream(
self,
"stream-explicit-encrypted-selfmanaged",
shard_count=1,
encryption=kinesis.StreamEncryption.KMS,
encryption_key=key
)
----
include::../exceptions.adoc[]
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Using {protocol.insecure} protocol is insecure. Use {protocol.alternatives} instead.
* Make sure STARTTLS is used to upgrade to a secure connection using SSL/TLS.
For `aws_cdk.aws_elasticloadbalancing.LoadBalancer`, `aws_cdk.aws_elasticloadbalancing.CfnLoadBalancer`, `aws_cdk.aws_elasticloadbalancing.LoadBalancerListener`, `aws_cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer`, `aws_cdk.aws_elasticloadbalancingv2.NetworkLoadBalancer`, `aws_cdk.aws_elasticloadbalancingv2.ApplicationListener`, `aws_cdk.aws_elasticloadbalancingv2.ApplicationListener`, `aws_cdk.aws_elasticloadbalancingv2.NetworkListener` and `aws_cdk.aws_elasticloadbalancingv2.CfnListener`:
* Make sure that using network protocols without an SSL/TLS underlay is safe here.
For `aws_cdk.aws_elasticache.CfnReplicationGroup`:
* Make sure that disabling transit encryption is safe here.
For `aws_cdk.aws_kinesis.CfnStream` and `aws_cdk.aws_kinesis.Stream`:
* Make sure that disabling stream encryption is safe here.
=== Highlighting
For `aws_cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer`:
* Highlight the `protocol` parameter of the `add_listener` call when it is set
to elbv2.ApplicationProtocol.HTTP
* Highlight the `add_listener` call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws_cdk.aws_elasticloadbalancingv2.ApplicationListener`
* Highlight the `protocol` property of the object constructor when it is set to
elbv2.ApplicationProtocol.HTTP
* Highlight the object constructor call when the `protocol` parameter is not set
and the port parameter is 80, 8000, 8080 or 8008
For `aws_cdk.aws_elasticloadbalancingv2.NetworkLoadBalancer`
* Highlight the `protocol` parameter of the `add_listener` call when it is set
to elbv2.Protocol.TCP, elbv2.Protocol.UDP, or
elbv2.Protocol.TCP_UDP
* Highlight the `add_listener` call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws_cdk.aws_elasticloadbalancingv2.NetworkListener`
* Highlight the `protocol` property of the object constructor call when it is set
to elbv2.ApplicationProtocol.TCP, elbv2.ApplicationProtocol.UDP, or
elbv2.ApplicationProtocol.TCP_UDP
* Highlight the constructor call when the `protocol` parameter is not set
and the `certificates` parameter is not set or is an empty `Sequence`.
For `aws_cdk.aws_elasticloadbalancingv2.CfnListener`:
* Highlight the `protocol` property of the object constructor when set to
HTTP, TCP, UDP, or TCP_UDP.
For `aws_cdk.aws_elasticloadbalancing.LoadBalancer`:
* Highlight the `externalProtocol` dict entry in the `listeners` property of the
object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
* Highlight the `externalProtocol` parameter of the call to `add_listener` when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws_cdk.aws_elasticloadbalancing.CfnLoadBalancer`:
* When the `listeners` property of the object constructor is a `Sequence`
that contains a `dict` with a "protocol" entry set to "tcp" or "http",
highligth the "protocol" entry.
* When the `listeners` property of the object constructor is a `Sequence`
that contains an `elb.CfnLoadBalancer.ListenersProperty` with a `protocol`
property set to "tcp" or "http", highlight the protocol property.
For `aws_cdk.aws_elasticloadbalancing.LoadBalancerListener`:
* Highlight the `external_protocol` property of the object constructor when set to `elb.LoadBalancingProtocol.TCP` or `elb.LoadBalancingProtocol.HTTP`.
For `aws_cdk.aws_elasticache.CfnReplicationGroup`:
* Highlight the `transit_encryption_enabled` property of the object constructor if it is
present and set to False.
* Highlight the constructor call if the `transit_encryption_enabled` attribute is not set.
For `aws_cdk.aws_kinesis.CfnStream`:
* Highlight the object constructor when the `stream_encryption` property is not set.
* Highlight the `stream_encryption` property of the object constructor when set to None.
For `aws_cdk.aws_kinesis.Stream`:
* Highlight the `encryption` property of the object constructor when it is set to aws_kinesis.StreamEncryption.UNENCRYPTED
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink