ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6321/python/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

253 lines
6.1 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../rationale.adoc[]
include::../impact.adoc[]
== How to fix it
include::../common/how-to-fix-it/intro.adoc[]
=== Code examples
==== Noncompliant code example
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and other constructs that support a `connections` attribute:
[source,python,diff-id=1,diff-type=noncompliant]
----
from aws_cdk import aws_ec2 as ec2
instance = ec2.Instance(
self,
"my_instance",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc
)
instance.connections.allow_from(
ec2.Peer.any_ipv4(), # Noncompliant
ec2.Port.tcp(22),
description="Allows SSH from all IPv4"
)
instance.connections.allow_from_any_ipv4( # Noncompliant
ec2.Port.tcp(3389),
description="Allows Terminal Server from all IPv4"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]
[source,python,diff-id=2,diff-type=noncompliant]
----
from aws_cdk import aws_ec2 as ec2
security_group = ec2.SecurityGroup(
self,
"custom-security-group",
vpc=vpc
)
security_group.add_ingress_rule(
ec2.Peer.any_ipv4(), # Noncompliant
ec2.Port.tcp_range(1, 1024)
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroup.html[aws_cdk.aws_ec2.CfnSecurityGroup]
[source,python,diff-id=3,diff-type=noncompliant]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroup(
self,
"cfn-based-security-group",
group_description="cfn based security group",
group_name="cfn-based-security-group",
vpc_id=vpc.vpc_id,
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
ip_protocol="6",
cidr_ip="0.0.0.0/0",
from_port=22,
to_port=22
),
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=3389,
to_port=3389
),
{ # Noncompliant
"ipProtocol":"-1",
"cidrIpv6":"::/0"
}
]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupIngress.html[aws_cdk.aws_ec2.CfnSecurityGroupIngress]
[source,python,diff-id=4,diff-type=noncompliant]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroupIngress( # Noncompliant
self,
"ingress-all-ip-tcp-ssh",
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=22,
to_port=22,
group_id=security_group.attr_group_id
)
ec2.CfnSecurityGroupIngress( # Noncompliant
self,
"ingress-all-ipv6-all-tcp",
ip_protocol="-1",
cidr_ipv6="::/0",
group_id=security_group.attr_group_id
)
----
==== Compliant solution
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and other constructs that support a `connections` attribute:
[source,python,diff-id=1,diff-type=compliant]
----
from aws_cdk import aws_ec2 as ec2
instance = ec2.Instance(
self,
"my_instance",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc
)
instance.connections.allow_from_any_ipv4(
ec2.Port.tcp(1234),
description="Allows 1234 from all IPv4"
)
instance.connections.allow_from(
ec2.Peer.ipv4("192.0.2.0/24"),
ec2.Port.tcp(22),
description="Allows SSH from all IPv4"
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]
[source,python,diff-id=2,diff-type=compliant]
----
from aws_cdk import aws_ec2 as ec2
security_group = ec2.SecurityGroup(
self,
"custom-security-group",
vpc=vpc
)
security_group.add_ingress_rule(
ec2.Peer.any_ipv4(),
ec2.Port.tcp_range(1024, 1048)
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroup.html[aws_cdk.aws_ec2.CfnSecurityGroup]
[source,python,diff-id=3,diff-type=compliant]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroup(
self,
"cfn-based-security-group",
group_description="cfn based security group",
group_name="cfn-based-security-group",
vpc_id=vpc.vpc_id,
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=1024,
to_port=1048
),
{
"ipProtocol":"6",
"cidrIp":"192.0.2.0/24",
"fromPort":22,
"toPort":22
}
]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupIngress.html[aws_cdk.aws_ec2.CfnSecurityGroupIngress]
[source,python,diff-id=4,diff-type=compliant]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroupIngress(
self,
"ingress-all-ipv4-tcp-http",
ip_protocol="6",
cidr_ip="0.0.0.0/0",
from_port=80,
to_port=80,
group_id=security_group.attr_group_id
)
ec2.CfnSecurityGroupIngress(
self,
"ingress-range-tcp-rdp",
ip_protocol="tcp",
cidr_ip="192.0.2.0/24",
from_port=3389,
to_port=3389,
group_id=security_group.attr_group_id
)
----
== Resources
include::../common/resources/docs.adoc[]
include::../common/resources/articles.adoc[]
include::../common/resources/presentations.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
== Message
When a call to `allow_from_any_ipv4` or `allow_default_port_from_any_ipv4` is identified:
* Change this method for `allow_from` and set `other` to a subset of trusted IP addresses
In any other case, when a dangerous peer definition is identified:
* Change this IP range to a subset of trusted IP addresses.
== Highlighting
When a call to `allow_from_any_ipv4` or `allow_default_port_from_any_ipv4` is identified:
* Highlight the method name
In any other case, when a dangerous peer definition is identified:
* Highlight the peer definition attribute, e.g. `cidr_ip` for `IngressProperty` constructors, `peer` parameter for `add_ingress_rule` calls, `other` for `allow_from` calls, etc.
'''
Reference in New Issue View Git Blame Copy Permalink