cfn-nag 0.5.20 → 0.5.21

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb +8 -1
  3. data/lib/cfn-nag/ip_addr.rb +8 -0
  4. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bb18fe6da93dfbb59608ad93490cda7ac41bd3038c1b615ac7fb288012902f2b
4
- data.tar.gz: f984cff2742bc4bbc9df04a6ce6adade332e3072be80c9a6e321ae8ca7a32aea
3
+ metadata.gz: 436520273db336d85d897b216712e1ae2450052aaa5dce38b05c2237cca311f1
4
+ data.tar.gz: be159ca08040b1aa827defd70afd4447f198ae19e9e5d8dc51fa994d277d71ba
5
5
  SHA512:
6
- metadata.gz: 1187bb3ab3160c721567f1e79b6a3fd840ad646046163f3ae2b38bd8178f1fbe089fabe990c5d9790a54b1f4cab4c9800e566ae8abb31256634fe0b6b4d745f9
7
- data.tar.gz: efc2872b9319caab26f6d8cdddaec1e3b0352fc15979534209845f0981e51c3d1298f40c6e34184699bef654d6e731320e081680d5c7c5827ab615bdec434053
6
+ metadata.gz: 0fa0f3f0f8069eccc79324c73cf4aad48f5e6292fd8d5b1f287a458e00e927573f4319a61ca70ed0f65b424c36ed9f28341ec9db51c9a4f85370ccef88405cff
7
+ data.tar.gz: 31aa2b2d10f45f8d02bfa479858b70779f430b557ad8bd8b93953d249e1d214c10aa4dde34a209bc0b3a34ac907fbfb2600671eef109a1c059443281cfaf8584
data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb CHANGED
@@ -1,9 +1,12 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
+ require 'cfn-nag/ip_addr'
4
5
  require_relative 'base'
5
6
 
6
7
  class SecurityGroupEgressAllProtocolsRule < BaseRule
8
+ include IpAddr
9
+
7
10
  def rule_text
8
11
  'Security Groups egress with an IpProtocol of -1 found'
9
12
  end
@@ -37,11 +40,15 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
37
40
 
38
41
  private
39
42
 
40
- def violating_egress(egress)
43
+ def negative_1_protocol?(egress)
41
44
  if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
42
45
  egress.ipProtocol.to_i == -1
43
46
  else
44
47
  false
45
48
  end
46
49
  end
50
+
51
+ def violating_egress(egress)
52
+ negative_1_protocol?(egress) && !ip4_localhost?(egress) && !ip6_localhost?(egress)
53
+ end
47
54
  end
data/lib/cfn-nag/ip_addr.rb CHANGED
@@ -3,6 +3,14 @@
3
3
  require 'netaddr'
4
4
 
5
5
  module IpAddr
6
+ def ip4_localhost?(egress)
7
+ egress.cidrIp.is_a?(String) && egress.cidrIp == '127.0.0.1/32'
8
+ end
9
+
10
+ def ip6_localhost?(egress)
11
+ egress.cidrIpv6.is_a?(String) && egress.cidrIpv6 == '::1/128'
12
+ end
13
+
6
14
  def ip4_open?(ingress)
7
15
  # only care about literals. if a Hash/Ref not going to chase it down
8
16
  # given likely a Parameter with external val
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.20
4
+ version: 0.5.21
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-04 00:00:00.000000000 Z
11
+ date: 2020-03-05 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake