cfn-nag 0.4.62 → 0.4.63
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f815bd0f4c95fc396806e61ad78339398dd99019b6208de8e94649750e3dec0e
|
4
|
+
data.tar.gz: 7647413ad2e87e8d501fcd0d1f6280273ecd6f474a78ebdc46ea17f3478fa688
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 97c9ccee4d1a90673381de942a6f7f18475bbf38e135d58404c0db558a17cc283bedfe6b1def88b82a78cf34f2f9d1797183d3776b6de56ae104b1e95eb714bd
|
7
|
+
data.tar.gz: dd930b363d88cb0acb7e3fbb399721cba200fdcd43debe4bd03bd132420790319048d52025ad5ff3f68fc865bbf751a601a34430e496bc69b2dd30b85a61615f
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \
|
11
|
+
'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
|
12
|
+
end
|
13
|
+
|
14
|
+
def rule_type
|
15
|
+
Violation::FAILING_VIOLATION
|
16
|
+
end
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'F74'
|
20
|
+
end
|
21
|
+
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
ask_skills = cfn_model.resources_by_type('Alexa::ASK::Skill')
|
24
|
+
violating_skills = ask_skills.select do |skill|
|
25
|
+
client_secret = skill.authenticationConfiguration['ClientSecret']
|
26
|
+
if client_secret.nil?
|
27
|
+
false
|
28
|
+
else
|
29
|
+
insecure_parameter?(cfn_model, client_secret) ||
|
30
|
+
insecure_string_or_dynamic_reference?(cfn_model, client_secret)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
violating_skills.map(&:logical_resource_id)
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \
|
11
|
+
'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
|
12
|
+
end
|
13
|
+
|
14
|
+
def rule_type
|
15
|
+
Violation::FAILING_VIOLATION
|
16
|
+
end
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'F75'
|
20
|
+
end
|
21
|
+
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
ask_skills = cfn_model.resources_by_type('Alexa::ASK::Skill')
|
24
|
+
violating_skills = ask_skills.select do |skill|
|
25
|
+
refresh_token = skill.authenticationConfiguration['RefreshToken']
|
26
|
+
if refresh_token.nil?
|
27
|
+
false
|
28
|
+
else
|
29
|
+
insecure_parameter?(cfn_model, refresh_token) ||
|
30
|
+
insecure_string_or_dynamic_reference?(cfn_model, refresh_token)
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
violating_skills.map(&:logical_resource_id)
|
35
|
+
end
|
36
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.63
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -156,6 +156,8 @@ files:
|
|
156
156
|
- lib/cfn-nag/cfn_nag_logging.rb
|
157
157
|
- lib/cfn-nag/cli_options.rb
|
158
158
|
- lib/cfn-nag/custom_rule_loader.rb
|
159
|
+
- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb
|
160
|
+
- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb
|
159
161
|
- lib/cfn-nag/custom_rules/AmazonMQBrokerEncryptionOptionsRule.rb
|
160
162
|
- lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
|
161
163
|
- lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb
|