cfn-nag 0.5.20 → 0.5.21
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 436520273db336d85d897b216712e1ae2450052aaa5dce38b05c2237cca311f1
|
4
|
+
data.tar.gz: be159ca08040b1aa827defd70afd4447f198ae19e9e5d8dc51fa994d277d71ba
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0fa0f3f0f8069eccc79324c73cf4aad48f5e6292fd8d5b1f287a458e00e927573f4319a61ca70ed0f65b424c36ed9f28341ec9db51c9a4f85370ccef88405cff
|
7
|
+
data.tar.gz: 31aa2b2d10f45f8d02bfa479858b70779f430b557ad8bd8b93953d249e1d214c10aa4dde34a209bc0b3a34ac907fbfb2600671eef109a1c059443281cfaf8584
|
@@ -1,9 +1,12 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/ip_addr'
|
4
5
|
require_relative 'base'
|
5
6
|
|
6
7
|
class SecurityGroupEgressAllProtocolsRule < BaseRule
|
8
|
+
include IpAddr
|
9
|
+
|
7
10
|
def rule_text
|
8
11
|
'Security Groups egress with an IpProtocol of -1 found'
|
9
12
|
end
|
@@ -37,11 +40,15 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
|
|
37
40
|
|
38
41
|
private
|
39
42
|
|
40
|
-
def
|
43
|
+
def negative_1_protocol?(egress)
|
41
44
|
if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
|
42
45
|
egress.ipProtocol.to_i == -1
|
43
46
|
else
|
44
47
|
false
|
45
48
|
end
|
46
49
|
end
|
50
|
+
|
51
|
+
def violating_egress(egress)
|
52
|
+
negative_1_protocol?(egress) && !ip4_localhost?(egress) && !ip6_localhost?(egress)
|
53
|
+
end
|
47
54
|
end
|
data/lib/cfn-nag/ip_addr.rb
CHANGED
@@ -3,6 +3,14 @@
|
|
3
3
|
require 'netaddr'
|
4
4
|
|
5
5
|
module IpAddr
|
6
|
+
def ip4_localhost?(egress)
|
7
|
+
egress.cidrIp.is_a?(String) && egress.cidrIp == '127.0.0.1/32'
|
8
|
+
end
|
9
|
+
|
10
|
+
def ip6_localhost?(egress)
|
11
|
+
egress.cidrIpv6.is_a?(String) && egress.cidrIpv6 == '::1/128'
|
12
|
+
end
|
13
|
+
|
6
14
|
def ip4_open?(ingress)
|
7
15
|
# only care about literals. if a Hash/Ref not going to chase it down
|
8
16
|
# given likely a Parameter with external val
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.21
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-03-
|
11
|
+
date: 2020-03-05 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|