cfn-nag 0.6.8 → 0.6.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0ca27b8a27f49e0ab77d230cf271ba2d3e1174fd91fc089e510b920a3a718a3d
-  data.tar.gz: 76c9c290e547543be8bf4251dcf8f28c6ae9b83802d8d15372ea8bec5c5d2a4a
+  metadata.gz: 9b5274ea37c43e66281bd7e21513c650ca7dac661c5ce943e5fce39dad25506c
+  data.tar.gz: 22355ae1a48c603a4f4672d7887134f5087973aab0fda5eda92bcb794f975fbe
 SHA512:
-  metadata.gz: e2e2f2dfcdbccf5e92c5dca4ae55d0aaf9d1dd5be9ff82a2f11492130dee6ec612af999c8bca1383f777a1a205d4211f7434ee9d392bbe1612904bd51852509b
-  data.tar.gz: 030f69e2d5e60547b234c6b984e0274e47df0fc9dfaa9fe432f0a90039bfbc483a5fea3cc57dd6762cb5de9d9c570d6651809a892b740fd97d0cc73ce7b93efb
+  metadata.gz: c8d30927728b0b9ea80774a83c937629ede960143b02b69e51ad6a55ce770e15805e6b8adb733d5c461a346d66b4c11c6fc19fd59f90bf0ee614718375c1ac22
+  data.tar.gz: 4043b47cd7b3b9c19a5d1259134346768febabd2418a96c160a27f644e09cdb7a630f57013828e0d5d8bd1d49f3b19b414b6893bd1082e8ad9cfd4f9e27c6bcd

data/lib/cfn-nag/cfn_nag.rb

@@ -135,12 +135,11 @@ class CfnNag
     )
 
     # this must come after - blacklist should always win
-    violations = filter_violations_by_blacklist(
+    filter_violations_by_blacklist(
       blacklist_definition: @config.blacklist_definition,
       rule_definitions: @config.custom_rule_loader.rule_definitions,
       violations: violations
     )
-    violations
   rescue StandardError => blacklist_or_profile_parse_error
     violations << fatal_violation(blacklist_or_profile_parse_error.to_s)
     violations

data/lib/cfn-nag/cfn_nag_config.rb

@@ -29,12 +29,6 @@ class CfnNagConfig
   end
   # rubocop:enable Metrics/ParameterLists
 
-  attr_reader :rule_arguments
-  attr_reader :rule_directory
-  attr_reader :custom_rule_loader
-  attr_reader :profile_definition
-  attr_reader :blacklist_definition
-  attr_reader :fail_on_warnings
-  attr_reader :rule_repositories
-  attr_reader :ignore_fatal
+  attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :blacklist_definition, \
+              :fail_on_warnings, :rule_repositories, :ignore_fatal
 end

data/lib/cfn-nag/custom_rule_loader.rb

@@ -93,7 +93,7 @@ class CustomRuleLoader
       rescue ScriptError, StandardError => rule_error
         raise rule_error unless @isolate_custom_rule_exceptions
 
-        STDERR.puts rule_error
+        $stderr.puts rule_error
       end
     end
   end

data/lib/cfn-nag/custom_rules/DynamoDBBackupRule.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class DynamoDBBackupRule < BaseRule
+  def rule_text
+    'DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W78'
+  end
+
+  def audit_impl(cfn_model)
+    violating_ddb_tables = cfn_model.resources_by_type('AWS::DynamoDB::Table').select do |table|
+      table.pointInTimeRecoverySpecification.nil? ||
+        !truthy?(table.pointInTimeRecoverySpecification['PointInTimeRecoveryEnabled'].to_s)
+    end
+
+    violating_ddb_tables.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb

@@ -18,79 +18,80 @@ class EC2NetworkAclEntryOverlappingPortsRule < BaseRule
   end
 
   def audit_impl(cfn_model)
+    nacl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
+
+    # Select nacl entries that can be evaluated
+    nacl_entries.select! do |nacl_entry|
+      tcp_or_udp_protocol?(nacl_entry) && valid_ports?(nacl_entry)
+    end
+
     violating_nacl_entries = []
-    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
-      violating_nacl_entries += violating_nacl_entries(nacl)
+
+    # Group entries by nacl id, ip type, and egress/ingress
+    grouped_nacl_entries = group_nacl_entries(nacl_entries)
+
+    grouped_nacl_entries.each do |grouping|
+      violating_nacl_entries += overlapping_port_entries(grouping)
     end
     violating_nacl_entries.map(&:logical_resource_id)
   end
 
   private
 
-  def overlapping_port_entries(nacl_entries)
-    unique_pairs(nacl_entries).select do |nacl_entry_pair|
-      tcp_or_udp_protocol?(nacl_entry_pair[0], nacl_entry_pair[1]) && overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
-    end
+  def tcp_or_udp_protocol?(entry)
+    %w[6 17].include?(entry.protocol.to_s)
   end
 
-  def tcp_or_udp_protocol?(entry1, entry2)
-    %w[6 17].include?(entry1.protocol.to_s) && %w[6 17].include?(entry2.protocol.to_s)
+  def valid_ports?(entry)
+    !entry.portRange.nil? && valid_port_number?(entry.portRange['From']) && valid_port_number?(entry.portRange['To'])
   end
 
-  def unique_pairs(arr)
-    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
-    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
+  def valid_port_number?(port)
+    port.is_a?(Numeric) || (port.is_a?(String) && port.to_i(10) != 0)
   end
 
-  def overlap?(entry1, entry2)
-    roverlap?(entry1, entry2) || loverlap?(entry1, entry2)
-  end
+  def group_nacl_entries(nacl_entries)
+    grouped_nacl_entries = []
 
-  def roverlap?(entry1, entry2)
-    entry1.portRange['From'].between?(entry2.portRange['From'], entry2.portRange['To']) ||
-      entry1.portRange['To'].between?(entry2.portRange['From'], entry2.portRange['To'])
-  end
+    # Group by NaclID
+    nacl_entries.group_by(&:networkAclId).each_value do |entries|
+      # Split entries by ip type
+      ipv4_entries, ipv6_entries = entries.partition { |nacl_entry| nacl_entry.ipv6CidrBlock.nil? }
 
-  def loverlap?(entry1, entry2)
-    entry2.portRange['From'].between?(entry1.portRange['From'], entry1.portRange['To']) ||
-      entry2.portRange['To'].between?(entry1.portRange['From'], entry1.portRange['To'])
-  end
+      # Split entries by egress/ingress
+      egress4, ingress4 = ipv4_entries.partition { |nacl_entry| truthy?(nacl_entry.egress) }
+      egress6, ingress6 = ipv6_entries.partition { |nacl_entry| truthy?(nacl_entry.egress) }
 
-  def egress_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      truthy?(nacl_entry.egress)
+      grouped_nacl_entries << egress4
+      grouped_nacl_entries << ingress4
+      grouped_nacl_entries << egress6
+      grouped_nacl_entries << ingress6
     end
-  end
 
-  def ingress_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      not_truthy?(nacl_entry.egress)
-    end
+    grouped_nacl_entries
   end
 
-  def ip6_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      !nacl_entry.ipv6CidrBlock.nil?
-    end
+  def overlapping_port_entries(nacl_entries)
+    unique_pairs(nacl_entries).select do |nacl_entry_pair|
+      overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
+    end.flatten.uniq
   end
 
-  def ip4_entries(nacl_entries)
-    nacl_entries.select do |nacl_entry|
-      nacl_entry.ipv6CidrBlock.nil?
-    end
+  def unique_pairs(arr)
+    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
+    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
   end
 
-  def violating_nacl_entries(nacl)
-    violating_ip4_nacl_entries(nacl) || violating_ip6_nacl_entries(nacl)
+  def overlap?(entry1, entry2)
+    port_overlap?(entry1.portRange, entry2.portRange) || port_overlap?(entry2.portRange, entry1.portRange)
   end
 
-  def violating_ip4_nacl_entries(nacl)
-    overlapping_port_entries(egress_entries(ip4_entries(nacl.network_acl_entries))).flatten.uniq &&
-      overlapping_port_entries(ingress_entries(ip4_entries(nacl.network_acl_entries))).flatten.uniq
+  def port_overlap?(port_range1, port_range2)
+    port_number(port_range1['From']).between?(port_number(port_range2['From']), port_number(port_range2['To'])) ||
+      port_number(port_range1['To']).between?(port_number(port_range2['From']), port_number(port_range2['To']))
   end
 
-  def violating_ip6_nacl_entries(nacl)
-    overlapping_port_entries(egress_entries(ip6_entries(nacl.network_acl_entries))).flatten.uniq &&
-      overlapping_port_entries(ingress_entries(ip6_entries(nacl.network_acl_entries))).flatten.uniq
+  def port_number(port)
+    port.to_i
   end
 end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerV2AccessLoggingRule.rb

@@ -29,10 +29,9 @@ class ElasticLoadBalancerV2AccessLoggingRule < BaseRule
   private
 
   def access_logging_is_false?(load_balancer)
-    false_access_log_attribute = load_balancer.loadBalancerAttributes.find do |load_balancer_attribute|
+    load_balancer.loadBalancerAttributes.find do |load_balancer_attribute|
       load_balancer_attribute['Key'] == 'access_logs.s3.enabled' && not_truthy?(load_balancer_attribute['Value'])
     end
-    false_access_log_attribute
   end
 
   def missing_access_logs?(load_balancer)

data/lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb

@@ -2,7 +2,6 @@
 
 require 'cfn-nag/util/truthy'
 require 'cfn-nag/violation'
-require 'cfn-nag/util/truthy'
 require_relative 'base'
 
 class ElasticsearchDomainEncryptionAtRestOptionsRule < BaseRule

data/lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb

@@ -5,7 +5,7 @@ require_relative 'base'
 require 'cfn-nag/util/wildcard_patterns'
 
 class IamRolePassRoleWildcardResourceRule < BaseRule
-  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map! { |x| 'iam:' + x } + ['*']
+  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map! { |x| "iam:#{x}" } + ['*']
 
   def rule_text
     'IAM role should not allow * resource with PassRole action on its permissions policy'

data/lib/cfn-nag/custom_rules/RDSInstanceDeletionProtectionRule.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require_relative 'base'
-require 'cfn-nag/util/truthy.rb'
+require 'cfn-nag/util/truthy'
 require 'cfn-nag/violation'
 
 class RDSInstanceDeletionProtectionRule < BaseRule

data/lib/cfn-nag/custom_rules/SPCMRule.rb

@@ -6,6 +6,7 @@ require_relative 'base'
 
 class SPCMRule < BaseRule
   attr_accessor :spcm_threshold
+
   DEFAULT_THRESHOLD = 25
 
   def rule_text

data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

@@ -25,16 +25,22 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
   def audit_impl(cfn_model)
     violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_egresses = security_group.egresses.select do |egress|
-        ip4_open?(egress) || ip6_open?(egress)
+        violating_egress(egress)
       end
 
       !violating_egresses.empty?
     end
 
     violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
-      ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
+      violating_egress(standalone_egress)
     end
 
     violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
   end
+
+  private
+
+  def violating_egress(egress)
+    ip4_open?(egress) || ip6_open?(egress)
+  end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb

@@ -25,16 +25,22 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
   def audit_impl(cfn_model)
     violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
-        ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
+        violating_ingress(ingress)
       end
 
       !violating_ingresses.empty?
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
-      ip4_cidr_range?(standalone_ingress) || ip6_cidr_range?(standalone_ingress)
+      violating_ingress(standalone_ingress)
     end
 
     violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
+
+  private
+
+  def violating_ingress(ingress)
+    ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
+  end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

@@ -26,16 +26,22 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
   def audit_impl(cfn_model)
     violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
-        ip4_open?(ingress) || ip6_open?(ingress)
+        violating_ingress(ingress)
       end
 
       !violating_ingresses.empty?
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
-      ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
+      violating_ingress(standalone_ingress)
     end
 
     violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
+
+  private
+
+  def violating_ingress(ingress)
+    ip4_open?(ingress) || ip6_open?(ingress)
+  end
 end

data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb

@@ -3,7 +3,7 @@
 require 'cfn-nag/violation'
 require_relative 'base'
 require 'cfn-nag/ip_addr'
-require 'cfn-nag/util/blank.rb'
+require 'cfn-nag/util/blank'
 
 class SecurityGroupRuleDescriptionRule < BaseRule
   def rule_text

data/lib/cfn-nag/custom_rules/boolean_base_rule.rb

@@ -2,7 +2,7 @@
 
 require 'cfn-nag/violation'
 require_relative 'base'
-require 'cfn-nag/util/truthy.rb'
+require 'cfn-nag/util/truthy'
 
 ##
 # Derive from this rule to ensure that a resource

data/lib/cfn-nag/custom_rules/passrole_base_rule.rb

@@ -5,7 +5,7 @@ require_relative 'base'
 require 'cfn-nag/util/wildcard_patterns'
 
 class PassRoleBaseRule < BaseRule
-  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map { |pattern| 'iam:' + pattern } + ['*']
+  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map { |pattern| "iam:#{pattern}" } + ['*']
 
   def policy_type
     raise 'must implement in subclass'

data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb

@@ -41,9 +41,10 @@ class ConditionMetric
     result = []
     conditions.each do |_, expression|
       expression.each do |_, value|
-        if value.is_a? String
+        case value
+        when String
           result << value
-        elsif value.is_a? Array
+        when Array
           result += value
         end
       end

data/lib/cfn-nag/ip_addr.rb

@@ -47,9 +47,10 @@ module IpAddr
   # anything with it
   #
   def normalize_cidr_ip6(ingress)
-    if ingress.cidrIpv6.is_a?(Symbol)
+    case ingress.cidrIpv6
+    when Symbol
       ":#{ingress.cidrIpv6}"
-    elsif ingress.cidrIpv6.is_a?(String)
+    when String
       ingress.cidrIpv6
     end
   end

data/lib/cfn-nag/metadata.rb

@@ -13,7 +13,7 @@ module Metadata
       logical_resource_id = mangled_metadata.first
       mangled_rules = mangled_metadata[1]
 
-      STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
+      $stderr.puts "#{logical_resource_id} has missing cfn_nag suppression rule id: #{mangled_rules}"
     end
   end
 
@@ -46,7 +46,7 @@ module Metadata
     end
     if found_suppression_rule && print_suppression
       message = "Suppressing #{rule_id} on #{logical_resource_id} for reason: #{found_suppression_rule['reason']}"
-      STDERR.puts message
+      $stderr.puts message
     end
     !found_suppression_rule.nil?
   end

data/lib/cfn-nag/result_view/stdout_results.rb

@@ -27,7 +27,7 @@ class StdoutResults
   def render(results)
     results.each do |result|
       60.times { print '-' }
-      puts "\n" + result[:filename]
+      puts "\n#{result[:filename]}"
       60.times { print '-' }
 
       violations = result[:file_results][:violations]
@@ -45,6 +45,6 @@ class StdoutResults
   end
 
   def indent_multiline_string_with_prefix(prefix, multiline_string)
-    prefix + ' ' + multiline_string.gsub(/\n/, "\n#{prefix} ")
+    "#{prefix} #{multiline_string.gsub(/\n/, "\n#{prefix} ")}"
   end
 end

data/lib/cfn-nag/rule_repos/gem_based_rule_repo.rb

@@ -53,7 +53,7 @@ class GemBasedRuleRepo
     require rule_gem_name
     true
   rescue LoadError
-    STDERR.puts "Could not require #{rule_gem_name} - does the rule gem have a top level entry point?"
+    $stderr.puts "Could not require #{rule_gem_name} - does the rule gem have a top level entry point?"
     false
   end
 

data/lib/cfn-nag/rule_repository_loader.rb

@@ -33,7 +33,7 @@ class RuleRepositoryLoader
     end
 
     repo_class = class_from_name(rule_repository_definition['repo_class_name'])
-    if rule_repository_definition['repo_arguments']&.is_a?(Hash)
+    if rule_repository_definition['repo_arguments'].is_a?(Hash)
       repo_class.new(**to_sym_keys(rule_repository_definition['repo_arguments']))
     else
       repo_class.new

data/lib/cfn-nag/util/enforce_reference_parameter.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'cfn-nag/util/truthy.rb'
+require 'cfn-nag/util/truthy'
 
 # Returns false if the provided key_to_check is a no-echo parameter without a
 # default value, or pseudo parameter reference to 'AWS::NoValue'; true otherwise.

data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb

@@ -9,17 +9,16 @@ def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
 
   # Check if string starts with a Dynamic Reference pointing to SecretsManager
   # or SSM Secure
+  # &&
+  # Verify that the secure string ends properly with the double curly braces
   if key_to_check.start_with?(
     '{{resolve:secretsmanager:',
     '{{resolve:ssm-secure:'
-  )
-    # Verify that the secure string ends properly with the double curly braces
-    if key_to_check.end_with? '}}'
-      return false
-    end
+  ) && key_to_check.end_with?('}}')
+    return false
   end
 
-  # Retrun true if key_to_check is a string and is not calling a secured
+  # Return true if key_to_check is a string and is not calling a secured
   # dynamic reference pattern (Secrets Manager or SSM-Secure)
   true
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.8
+  version: 0.6.13
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-10-01 00:00:00.000000000 Z
+date: 2020-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.1
+        version: 0.5.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.5.1
+        version: 0.5.4
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -203,6 +203,7 @@ files:
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/DynamoDBBackupRule.rb
 - lib/cfn-nag/custom_rules/DynamoDBBillingModeRule.rb
 - lib/cfn-nag/custom_rules/DynamoDBEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb