Skip to content

Commit

Permalink
feat(arm): add FunctionAppDisallowCORS - password correctness check (#…
Browse files Browse the repository at this point in the history 
…6248)

* add policy FunctionAppDisallowCORS

* Update FunctionAppDisallowCORS.py

* add policy FunctionAppDisallowCORS

* add policy FunctionAppDisallowCORS

* add policy FunctionAppDisallowCORS

* fix the lines of the code

* add commit RedisCacheEnableNonSSLPort

* fix RedisCacheEnableNonSSLPort

---------

Co-authored-by: ChanochShayner <[email protected]>
  • Loading branch information
@unu87 @ChanochShayner
unu87 and ChanochShayner authored May 19, 2024
1 parent c23932d commit 9b6feb1
Show file tree
Hide file tree
Showing 5 changed files with 284 additions and 0 deletions.
24 changes: 24 additions & 0 deletions checkov/arm/checks/resource/FunctionAppDisallowCORS.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
from typing import List, Any
from checkov.common.models.enums import CheckCategories, CheckResult
from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck


class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):

def __init__(self) -> None:
name = "Ensure function apps are not accessible from all regions"
id = "CKV_AZURE_62"
supported_resources = ("Microsoft.Web/sites",)
categories = (CheckCategories.GENERAL_SECURITY,)
super().__init__(name=name, id=id, categories=categories,
supported_resources=supported_resources,
missing_block_result=CheckResult.PASSED)

def get_inspected_key(self) -> str:
return "properties/siteConfig/cors/allowedOrigins"

def get_forbidden_values(self) -> List[Any]:
return ["*"]


check = FunctionAppDisallowCORS()
81 changes: 81 additions & 0 deletions tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"metadata": {
"description": "The name of the Azure Web App."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The Azure region where the resource should be deployed."
}
},
"sku": {
"type": "string",
"defaultValue": "Free",
"allowedValues": [
"Free",
"Shared",
"Basic",
"Standard",
"Premium"
],
"metadata": {
"description": "The pricing tier of the Azure Web App."
}
},
"appServicePlanName": {
"type": "string",
"metadata": {
"description": "The name of the App Service Plan to use."
}
}
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"name": "fail",
"location": "[parameters('location')]",
"properties": {
"name": "[parameters('siteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
"siteConfig": {
"appSettings": [
{
"name": "Setting1",
"value": "Value1"
},
{
"name": "Setting2",
"value": "Value2"
}
],
"metadata": [
{
"name": "Key1",
"value": "Value1"
},
{
"name": "Key2",
"value": "Value2"
}
],
"cors": {
"allowedOrigins": ["*"]
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
],
"sku": {
"name": "[parameters('sku')]"
}
}
]
}
56 changes: 56 additions & 0 deletions tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"metadata": {
"description": "The name of the Azure Web App."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The Azure region where the resource should be deployed."
}
},
"sku": {
"type": "string",
"defaultValue": "Free",
"allowedValues": [
"Free",
"Shared",
"Basic",
"Standard",
"Premium"
],
"metadata": {
"description": "The pricing tier of the Azure Web App."
}
},
"appServicePlanName": {
"type": "string",
"metadata": {
"description": "The name of the App Service Plan to use."
}
}
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"name": "pass",
"location": "[parameters('location')]",
"properties": {
"name": "[parameters('siteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
],
"sku": {
"name": "[parameters('sku')]"
}
}
]
}
81 changes: 81 additions & 0 deletions tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"siteName": {
"type": "string",
"metadata": {
"description": "The name of the Azure Web App."
}
},
"location": {
"type": "string",
"metadata": {
"description": "The Azure region where the resource should be deployed."
}
},
"sku": {
"type": "string",
"defaultValue": "Free",
"allowedValues": [
"Free",
"Shared",
"Basic",
"Standard",
"Premium"
],
"metadata": {
"description": "The pricing tier of the Azure Web App."
}
},
"appServicePlanName": {
"type": "string",
"metadata": {
"description": "The name of the App Service Plan to use."
}
}
},
"resources": [
{
"type": "Microsoft.Web/sites",
"apiVersion": "2019-08-01",
"name": "pass_with_cors",
"location": "[parameters('location')]",
"properties": {
"name": "[parameters('siteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
"siteConfig": {
"appSettings": [
{
"name": "Setting1",
"value": "Value1"
},
{
"name": "Setting2",
"value": "Value2"
}
],
"metadata": [
{
"name": "Key1",
"value": "Value1"
},
{
"name": "Key2",
"value": "Value2"
}
],
"cors": {
"allowedOrigins": ["192.0.0.1"]
}
}
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
],
"sku": {
"name": "[parameters('sku')]"
}
}
]
}
42 changes: 42 additions & 0 deletions tests/arm/checks/resource/test_FunctionAppDisallowCORS.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
import unittest
from pathlib import Path

from checkov.arm.checks.resource.FunctionAppDisallowCORS import check
from checkov.arm.runner import Runner
from checkov.runner_filter import RunnerFilter


class TestFunctionAppDisallowCORS(unittest.TestCase):

def test_summery(self):
# given
test_files_dir = Path(__file__).parent / "example_FunctionAppDisallowCORS"

# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))

# then
summary = report.get_summary()

passing_resources = {
"Microsoft.Web/sites.pass_with_cors",
"Microsoft.Web/sites.pass",
}

failing_resources = {
"Microsoft.Web/sites.fail",
}

passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}

self.assertEqual(summary["passed"], len(passing_resources))
self.assertEqual(summary["failed"], len(failing_resources))
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)

self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)

if __name__ == '__main__':
unittest.main()

0 comments on commit 9b6feb1

Please sign in to comment.