cfn-nag 0.1.7 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6fc49caae80b7af90674e5242e1011d57c8228b1
-  data.tar.gz: 4d26ed8e76161e9ec08800b52cebb9e4badb4731
+  metadata.gz: bd5906c9788032280ede5ed4140f22b9654044a2
+  data.tar.gz: 1afc86b72e29a99ec4a91566b00ff2ee5b973078
 SHA512:
-  metadata.gz: 2ae12235c935e1b91bdfd71aa63a6d44294c7ae7aec66cf4cd80a58fef9ffcff793ce680ee05588c8e333463fb84357b7e62b25879427b768f29e9d666cae31d
-  data.tar.gz: 1a4c37d8de9926839b445dc35bd92421191d4f61540bd34a0aaabc13a1b657e7c032d24d08b4b306b6ee248eeb6d3ffef0625cf25e32c355eefbc6eb84364cca
+  metadata.gz: e4bbe81af76602d8c5bdb0705bf5fd92b898bf5a11d630a644d97f557ba5cf772272649483aaadbc58f9e4872bee768a6e919b38f2c0681f0f9e0dd4e7cd5eba
+  data.tar.gz: c5b85b35db56051f6196ab02a60c665592768ae2e15f5ef3d49440c6a1bf0232789b603f58b048394d9d73ce3c01d659c01c2853b55de0b9329a8112bbcfd980

data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

@@ -1,7 +1,9 @@
 require 'cfn-nag/violation'
 require_relative 'base'
+require 'cfn-nag/ip_addr'
 
 class SecurityGroupEgressOpenToWorldRule < BaseRule
+  include IpAddr
 
   def rule_text
     'Security Groups found with cidr open to world on egress'
@@ -21,8 +23,7 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|
       violating_egresses = security_group.securityGroupEgress.select do |egress|
-        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
-        egress.cidrIp.is_a?(String) && egress.cidrIp == '0.0.0.0/0'
+        ip4_open?(egress) || ip6_open?(egress)
       end
 
       unless violating_egresses.empty?
@@ -31,7 +32,7 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
     end
 
     violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
-      standalone_egress.cidrIp.is_a?(String) && standalone_egress.cidrIp == '0.0.0.0/0'
+      ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
     end
 
     logical_resource_ids + violating_egresses.map { |egress| egress.logical_resource_id}

data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb

@@ -1,7 +1,9 @@
 require 'cfn-nag/violation'
 require_relative 'base'
+require 'cfn-nag/ip_addr'
 
 class SecurityGroupIngressCidrNon32Rule < BaseRule
+  include IpAddr
 
   def rule_text
     'Security Groups found with ingress cidr that is not /32'
@@ -21,8 +23,7 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|
       violating_ingresses = security_group.securityGroupIngress.select do |ingress|
-        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
-        ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
+        ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
       end
 
       unless violating_ingresses.empty?
@@ -31,7 +32,7 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
-      standalone_ingress.cidrIp.is_a?(String) && !standalone_ingress.cidrIp.end_with?('/32')
+      ip4_cidr_range?(standalone_ingress) || ip6_cidr_range?(standalone_ingress)
     end
 
     logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

@@ -1,8 +1,10 @@
 require 'cfn-nag/violation'
 require_relative 'base'
+require 'cfn-nag/ip_addr'
 
 class SecurityGroupIngressOpenToWorldRule < BaseRule
-
+  include IpAddr
+  
   def rule_text
     'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
   end
@@ -21,8 +23,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|
       violating_ingresses = security_group.securityGroupIngress.select do |ingress|
-        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
-        ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
+        ip4_open?(ingress) || ip6_open?(ingress)
       end
 
       unless violating_ingresses.empty?
@@ -31,7 +32,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
     end
 
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
-      standalone_ingress.cidrIp.is_a?(String) && standalone_ingress.cidrIp == '0.0.0.0/0'
+      ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
     end
 
     logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}

data/lib/cfn-nag/ip_addr.rb

@@ -0,0 +1,44 @@
+require 'netaddr'
+
+module IpAddr
+  def ip4_open?(ingress)
+    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+    ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
+  end
+
+
+  def ip6_open?(ingress)
+    normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
+    return false if normalized_cidr_ip6.nil?
+
+    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+    (NetAddr::CIDRv6.create(normalized_cidr_ip6) == NetAddr::CIDRv6.create('::/0'))
+  end
+
+  def ip4_cidr_range?(ingress)
+    ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
+  end
+
+  def ip6_cidr_range?(ingress)
+    normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
+    return false if normalized_cidr_ip6.nil?
+
+    # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+    !NetAddr::CIDRv6.create(normalized_cidr_ip6).to_s.end_with?('/128')
+  end
+
+  ##
+  # If it's a string, just pass through
+  # If it's a symbol - probably because the YAML.load call treats an unquoted ::/0 as a the symbol :':/0'
+  # Otherwise it's probably a Ref or whatever and we aren't going to do anything with it
+  #
+  def normalize_cidr_ip6(ingress)
+    if ingress.cidrIpv6.is_a?(Symbol)
+      ":#{ingress.cidrIpv6.to_s}"
+    elsif ingress.cidrIpv6.is_a?(String)
+      ingress.cidrIpv6
+    else
+      nil
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-17 00:00:00.000000000 Z
+date: 2017-07-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: logging
@@ -66,6 +66,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 1.3.1
+- !ruby/object:Gem::Dependency
+  name: netaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.5.1
 description: Auditing tool for CloudFormation templates
 email: 
 executables:
@@ -129,6 +143,7 @@ files:
 - lib/cfn-nag/custom_rules/base.rb
 - lib/cfn-nag/custom_rules/ebs_volumes_jmespath.rb
 - lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb
+- lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb
 - lib/cfn-nag/profile.rb