RubyGems - cfn-nag - Versions diffs - 0.5.35 → 0.5.36 - Mend

cfn-nag 0.5.35 → 0.5.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb +51 -0
data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb +59 -0
data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb +71 -0
metadata +7 -4

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e5338b162d25636bc602f0161527f9394c760e2dab622191e94f340756d351b
-  data.tar.gz: 3f6f6d92d96c2e18425e59c83627de39bce7e6e647f928339f127dea6e704c86
+  metadata.gz: 119f2cf6f8a066fa49f8989b468b04543ffeab2a75f59e65da7af19675f1fd6e
+  data.tar.gz: f3728a32066dc37441a033e37e15975249c68f5767fd4a4cbc45db60f318b41a
 SHA512:
-  metadata.gz: f968043cdf5b3e02672fda69ceb9fed7d743cb4f1d7f6b3a0a2a283b251a9e3402e27afb3bc6f8f2b7ebab55ea74af939196b18de6e1cd24603f60dec2cee969
-  data.tar.gz: f317896d07e97ec51b24ad9550e629216768c30a1d3b1d9107614f7eb23ff02f5f8b577c62c8d855e0fcbe83816d9debbf6c39202c51a1659e3dccd0bfb1ba6c
+  metadata.gz: a1dcbe870ebd0c978c2a1173d0f1252f45c5121c51c557686ffd58b92d9d7dda8fa1900d2a1f744d844aa819acafe8db0e87453928354042c7d6d7441bbcdb9a
+  data.tar.gz: 0b5acc1571328b6497bed2e4f52295d4404a0dc26649b7b05efb78a7e674e177707991eb676d694f2f7e3ee5c3a460ea1dcbf3c2f8ca901f4fbd4ab40c3a2589

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb ADDED

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class EC2NetworkAclEntryDuplicateRule < BaseRule
+  def rule_text
+    'A NetworkACL\'s rule numbers cannot be repeated unless one is egress and one is ingress.'
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F79'
+  end
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+  private
+  def duplicate_rule_numbers(nacl_entries)
+    nacl_entries.group_by(&:ruleNumber).select { |_, entries| entries.size > 1 }.map { |_, entries| entries }.flatten
+  end
+  def egress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+  def ingress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+  def violating_nacl_entries(nacl)
+    duplicate_rule_numbers(egress(nacl.network_acl_entries)) +
+      duplicate_rule_numbers(ingress(nacl.network_acl_entries))
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb ADDED

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class EC2NetworkAclEntryIneffectiveDenyRule < BaseRule
+  def rule_text
+    'NetworkACL Entry Deny rules should affect all CIDR ranges.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W71'
+  end
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+  private
+  def deny_does_not_cover_all_cidrs(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      nacl_entry.ruleAction == 'deny' && not_all_cidrs_covered?(nacl_entry)
+    end
+  end
+  def not_all_cidrs_covered?(nacl_entry)
+    (!nacl_entry.cidrBlock.nil? &&
+      nacl_entry.cidrBlock != '0.0.0.0/0') ||
+      (!nacl_entry.ipv6CidrBlock.nil? && nacl_entry.ipv6CidrBlock != '::/0')
+  end
+  def egress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+  def ingress(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+  def violating_nacl_entries(nacl)
+    deny_does_not_cover_all_cidrs(egress(nacl.network_acl_entries)) +
+      deny_does_not_cover_all_cidrs(ingress(nacl.network_acl_entries))
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb ADDED

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class EC2NetworkAclEntryOverlappingPortsRule < BaseRule
+  def rule_text
+    'NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W72'
+  end
+  def audit_impl(cfn_model)
+    violating_nacl_entries = []
+    cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
+      violating_nacl_entries += violating_nacl_entries(nacl)
+    end
+    violating_nacl_entries.map(&:logical_resource_id)
+  end
+  private
+  def overlapping_port_entries(nacl_entries)
+    unique_pairs(nacl_entries).select do |nacl_entry_pair|
+      overlap?(nacl_entry_pair[0], nacl_entry_pair[1])
+    end
+  end
+  def unique_pairs(arr)
+    pairs_without_dupes = arr.product(arr).select { |pair| pair[0] != pair[1] }
+    pairs_without_dupes.reduce(Set.new) { |set_of_sets, pair| set_of_sets << Set.new(pair) }.to_a.map(&:to_a)
+  end
+  def overlap?(entry1, entry2)
+    roverlap?(entry1, entry2) || loverlap?(entry1, entry2)
+  end
+  def roverlap?(entry1, entry2)
+    entry1.portRange['From'].between?(entry2.portRange['From'], entry2.portRange['To']) ||
+      entry1.portRange['To'].between?(entry2.portRange['From'], entry2.portRange['To'])
+  end
+  def loverlap?(entry1, entry2)
+    entry2.portRange['From'].between?(entry1.portRange['From'], entry1.portRange['To']) ||
+      entry2.portRange['To'].between?(entry1.portRange['From'], entry1.portRange['To'])
+  end
+  def egress_entries(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      truthy?(nacl_entry.egress)
+    end
+  end
+  def ingress_entries(nacl_entries)
+    nacl_entries.select do |nacl_entry|
+      not_truthy?(nacl_entry.egress)
+    end
+  end
+  def violating_nacl_entries(nacl)
+    overlapping_port_entries(egress_entries(nacl.network_acl_entries)).flatten.uniq &&
+      overlapping_port_entries(ingress_entries(nacl.network_acl_entries)).flatten.uniq
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.35
+  version: 0.5.36
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-04-15 00:00:00.000000000 Z
+date: 2020-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.26
+        version: 0.4.28
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.4.26
+        version: 0.4.28
 - !ruby/object:Gem::Dependency
   name: logging
   requirement: !ruby/object:Gem::Requirement
@@ -201,6 +201,9 @@ files:
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb