cfn-nag 0.4.28 → 0.4.29

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +31 -0
  3. data/lib/cfn-nag/custom_rules/password_base_rule.rb +34 -4
  4. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3f4ecf712c97dd6ed7c5ddcf6a2ce4dad39bed49126cda319b5ed745e7f9cfe7
4
- data.tar.gz: ebf786e319e90aa28b8da6c214ee0ec4f44ec1aa54ab8dd9f35bb5e537414ec3
3
+ metadata.gz: '011839ee5d19c5990b7fb7b28a87b961336cf98a35a3a7fa5792e01e5d9470cc'
4
+ data.tar.gz: b04751c2b454226955d2b6aac10ee005338c9a5cb2aa0f3c34bfd5ca216138b6
5
5
  SHA512:
6
- metadata.gz: 1730e2a044e598aeba8505dfa7ea891b61475ca64dfca3cc3630aa25509cf8c2cec2add50bc8efbb20e19a840a27e93a4a6727d8dfd1b9060b0832b019628f7f
7
- data.tar.gz: 8d4a72cf87fab25fb416042ee00a0a19309c253e512e93db24979767e6cc4028683c94457a01d60de546480755d36ebb27e35aba1a14ef02e6cb0d06916b7b98
6
+ metadata.gz: 98a9ffb0a8d6888eabf60416c88e1ad05626eacf0bf279a05ac973f7140702eec5cc9915acf2464176e1bb43bbccc8decac5dac048a62b6ae95e5fc16f196de8
7
+ data.tar.gz: 2c16cc585f3d22f7912d32d38202fe67297ab3c10927f4f5e329384fa0916052cf633027349fbc92db9be496959f0f9346eee423886f8ceef95ab1f3a2e324a8
data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'password_base_rule'
5
+
6
+ class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
7
+ def rule_text
8
+ 'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
9
+ 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::FAILING_VIOLATION
14
+ end
15
+
16
+ def rule_id
17
+ 'F50'
18
+ end
19
+
20
+ def resource_type
21
+ 'AWS::Amplify::App'
22
+ end
23
+
24
+ def password_property
25
+ :basicAuthConfig
26
+ end
27
+
28
+ def sub_property_name
29
+ 'Password'
30
+ end
31
+ end
data/lib/cfn-nag/custom_rules/password_base_rule.rb CHANGED
@@ -14,19 +14,49 @@ class PasswordBaseRule < BaseRule
14
14
  raise 'must implement in subclass'
15
15
  end
16
16
 
17
+ def sub_property_name; end
18
+
17
19
  def audit_impl(cfn_model)
18
20
  resources = cfn_model.resources_by_type(resource_type)
19
21
 
20
22
  violating_resources = resources.select do |resource|
21
- if resource.send(password_property).nil?
23
+ if verify_parameter_exists(resource, password_property, sub_property_name)
22
24
  false
23
25
  else
24
- insecure_parameter?(cfn_model, resource.send(password_property)) ||
25
- insecure_string_or_dynamic_reference?(cfn_model,
26
- resource.send(password_property))
26
+ verify_insecure_string_and_parameter(
27
+ cfn_model, resource, password_property, sub_property_name
28
+ )
27
29
  end
28
30
  end
29
31
 
30
32
  violating_resources.map(&:logical_resource_id)
31
33
  end
32
34
  end
35
+
36
+ private
37
+
38
+ def verify_parameter_exists(resource, password_property, sub_property_name)
39
+ if sub_property_name.nil?
40
+ resource.send(password_property).nil?
41
+ else
42
+ resource.send(password_property)[sub_property_name].nil?
43
+ end
44
+ end
45
+
46
+ def verify_insecure_string_and_parameter(
47
+ cfn_model, resource, password_property, sub_property_name
48
+ )
49
+ if sub_property_name.nil?
50
+ insecure_parameter?(cfn_model, resource.send(password_property)) ||
51
+ insecure_string_or_dynamic_reference?(
52
+ cfn_model, resource.send(password_property)
53
+ )
54
+ else
55
+ insecure_parameter?(
56
+ cfn_model, resource.send(password_property)[sub_property_name]
57
+ ) ||
58
+ insecure_string_or_dynamic_reference?(
59
+ cfn_model, resource.send(password_property)[sub_property_name]
60
+ )
61
+ end
62
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.28
4
+ version: 0.4.29
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-02 00:00:00.000000000 Z
11
+ date: 2019-07-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -170,6 +170,7 @@ files:
170
170
  - lib/cfn-nag/cfn_nag_logging.rb
171
171
  - lib/cfn-nag/cli_options.rb
172
172
  - lib/cfn-nag/custom_rule_loader.rb
173
+ - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
173
174
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
174
175
  - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
175
176
  - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb