RubyGems - cfn-nag - Versions diffs - 0.5.20 → 0.5.21 - Mend

cfn-nag 0.5.20 → 0.5.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb +8 -1
data/lib/cfn-nag/ip_addr.rb +8 -0
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb18fe6da93dfbb59608ad93490cda7ac41bd3038c1b615ac7fb288012902f2b
-  data.tar.gz: f984cff2742bc4bbc9df04a6ce6adade332e3072be80c9a6e321ae8ca7a32aea
+  metadata.gz: 436520273db336d85d897b216712e1ae2450052aaa5dce38b05c2237cca311f1
+  data.tar.gz: be159ca08040b1aa827defd70afd4447f198ae19e9e5d8dc51fa994d277d71ba
 SHA512:
-  metadata.gz: 1187bb3ab3160c721567f1e79b6a3fd840ad646046163f3ae2b38bd8178f1fbe089fabe990c5d9790a54b1f4cab4c9800e566ae8abb31256634fe0b6b4d745f9
-  data.tar.gz: efc2872b9319caab26f6d8cdddaec1e3b0352fc15979534209845f0981e51c3d1298f40c6e34184699bef654d6e731320e081680d5c7c5827ab615bdec434053
+  metadata.gz: 0fa0f3f0f8069eccc79324c73cf4aad48f5e6292fd8d5b1f287a458e00e927573f4319a61ca70ed0f65b424c36ed9f28341ec9db51c9a4f85370ccef88405cff
+  data.tar.gz: 31aa2b2d10f45f8d02bfa479858b70779f430b557ad8bd8b93953d249e1d214c10aa4dde34a209bc0b3a34ac907fbfb2600671eef109a1c059443281cfaf8584

data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb CHANGED

@@ -1,9 +1,12 @@
 # frozen_string_literal: true
 require 'cfn-nag/violation'
+require 'cfn-nag/ip_addr'
 require_relative 'base'
 class SecurityGroupEgressAllProtocolsRule < BaseRule
+  include IpAddr
   def rule_text
     'Security Groups egress with an IpProtocol of -1 found'
   end
@@ -37,11 +40,15 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
   private
-  def violating_egress(egress)
+  def negative_1_protocol?(egress)
     if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
       egress.ipProtocol.to_i == -1
     else
       false
     end
   end
+  def violating_egress(egress)
+    negative_1_protocol?(egress) && !ip4_localhost?(egress) && !ip6_localhost?(egress)
+  end
 end

data/lib/cfn-nag/ip_addr.rb CHANGED

@@ -3,6 +3,14 @@
 require 'netaddr'
 module IpAddr
+  def ip4_localhost?(egress)
+    egress.cidrIp.is_a?(String) && egress.cidrIp == '127.0.0.1/32'
+  end
+  def ip6_localhost?(egress)
+    egress.cidrIpv6.is_a?(String) && egress.cidrIpv6 == '::1/128'
+  end
   def ip4_open?(ingress)
     # only care about literals.  if a Hash/Ref not going to chase it down
     # given likely a Parameter with external val

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.20
+  version: 0.5.21
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-03-04 00:00:00.000000000 Z
+date: 2020-03-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake