ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6407/terraform/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

83 lines
2.6 KiB
Plaintext
Raw Blame History

App Engine supports encryption in transit through TLS. As soon as the app is deployed, it can be requested using `appspot.com` domains or custom domains. By default, endpoints accept both clear-text and encrypted traffic. When communication isn't encrypted, there is a risk that an attacker could intercept it and read confidential information.
When creating an App Engine, request handlers can be set with different security level for encryption:
* `SECURE_NEVER`: only HTTP requests are allowed (HTTPS requests are redirected to HTTP).
* `SECURE_OPTIONAL` and `SECURE_DEFAULT`: both HTTP and HTTPS requests are allowed.
* `SECURE_ALWAYS`: only HTTPS requests are allowed (HTTP requests are redirected to HTTPS).
== Ask Yourself Whether
* The handler serves confidential data in HTTP responses.
There is a risk if you answered yes to this question.
== Recommended Secure Coding Practices
It's recommended for App Engine handlers to require TLS for all traffic. It can be achieved by setting the security level to `SECURE_ALWAYS`.
== Sensitive Code Example
`SECURE_DEFAULT`, `SECURE_NEVER` and `SECURE_OPTIONAL` are sensitive TLS security level:
[source,terraform]
----
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_OPTIONAL" # Sensitive
script {
script_path = "auto"
}
}
}
----
== Compliant Solution
Force the use of TLS for the handler by setting the security level on `SECURE_ALWAYS`:
[source,terraform]
----
resource "google_app_engine_standard_app_version" "example" {
version_id = "v1"
service = "default"
runtime = "nodejs"
handlers {
url_regex = ".*"
redirect_http_response_code = "REDIRECT_HTTP_RESPONSE_CODE_301"
security_level = "SECURE_ALWAYS"
script {
script_path = "auto"
}
}
}
----
== See
* CWE - https://cwe.mitre.org/data/definitions/200[CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor]
* CWE - https://cwe.mitre.org/data/definitions/319[CWE-319 - Cleartext Transmission of Sensitive Information]
* https://cloud.google.com/appengine/docs/standard/nodejs/application-security[GCP Documentation] - Overview of App Security
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Make sure creating a App Engine handler without requiring TLS is safe here.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink