cfn-nag 0.4.57 → 0.4.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a9a17d342897195816d3ea2a6e2f4f450063e33adf770222c574027321462224
|
|
4
|
+
data.tar.gz: 6db70ef159bcf58c9931df62611642e214da28ab8f083e45b125c94319a4279e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 19091eedd5243b521b1a4bc939eba0648a33c91fe4e61d958d8dfa4cd629dd992b2a29d7548e01de84f5f82615bd818026adf0c28be48a5578a865b1023026a1
|
|
7
|
+
data.tar.gz: fb9f86df334d0ba05dcd5d9a0bef3c94ff6919fdc7a8e98af51b91504a8df19c38db2abf4518fd99b190570c1391be49e1e3c4069036c2f9f14a2eefd3e74544
|
|
@@ -20,7 +20,7 @@ class SubPropertyWithListPasswordBaseRule < BaseRule
|
|
|
20
20
|
resources = cfn_model.resources_by_type(resource_type)
|
|
21
21
|
|
|
22
22
|
violating_resources = resources.select do |resource|
|
|
23
|
-
|
|
23
|
+
resource_with_insecure_subproperty_within_list_property?(
|
|
24
24
|
cfn_model, resource, password_property, sub_property_name
|
|
25
25
|
)
|
|
26
26
|
end
|
|
@@ -30,19 +30,20 @@ class SubPropertyWithListPasswordBaseRule < BaseRule
|
|
|
30
30
|
|
|
31
31
|
private
|
|
32
32
|
|
|
33
|
-
|
|
33
|
+
##
|
|
34
|
+
# This method name is a mouthful. Consider a cfn resource with a property that is a list
|
|
35
|
+
# like OpsworkStack::RdsDbInstances. The elements of that list include a password property.
|
|
36
|
+
# This predicate goes looking for unsafe password values "down" in the elements of the list
|
|
37
|
+
#
|
|
38
|
+
def resource_with_insecure_subproperty_within_list_property?(
|
|
34
39
|
cfn_model, resource, password_property, sub_property_name
|
|
35
40
|
)
|
|
36
|
-
|
|
41
|
+
property_list = resource.send(password_property)
|
|
42
|
+
return false unless property_list
|
|
37
43
|
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
) || insecure_string_or_dynamic_reference?(
|
|
42
|
-
cfn_model, sub_property[sub_property_name]
|
|
43
|
-
)
|
|
44
|
+
property_list.find do |property_element|
|
|
45
|
+
sub_value = property_element[sub_property_name]
|
|
46
|
+
insecure_parameter?(cfn_model, sub_value) || insecure_string_or_dynamic_reference?(cfn_model, sub_value)
|
|
44
47
|
end
|
|
45
|
-
|
|
46
|
-
sub_property_checks_result
|
|
47
48
|
end
|
|
48
49
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.58
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-06 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -299,7 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
299
299
|
version: '0'
|
|
300
300
|
requirements: []
|
|
301
301
|
rubyforge_project:
|
|
302
|
-
rubygems_version: 2.7.6
|
|
302
|
+
rubygems_version: 2.7.6.2
|
|
303
303
|
signing_key:
|
|
304
304
|
specification_version: 4
|
|
305
305
|
summary: cfn-nag
|