feat(sast): python Cdk policies batch 4 (#5857)

* 5 policies * 4 policies * fixes * fix * add combinations
bridgecrewio · Dec 13, 2023 · f6a44d5 · f6a44d5
1 parent 2fd352e
commit f6a44d5
Show file tree

Hide file tree

Showing 29 changed files with 832 additions and 1 deletion.
diff --git a/cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py b/cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py
@@ -0,0 +1,24 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticloadbalancingv2 as elbv2
+
+class MyALBStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define ALB with Load Balancer Attributes
+        alb = elbv2.CfnLoadBalancer(
+            self, 'MyALB',
+            name='my-alb',
+            type='application',
+            load_balancer_attributes=[
+                {
+                    'key': 'routing.http.drop_invalid_header_fields.enabled',
+                    'value': 'false'
+                }
+            ]
+            # Other properties for your ALB
+        )
+
+app = core.App()
+MyALBStack(app, "MyALBStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py b/cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py
@@ -0,0 +1,24 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticloadbalancingv2 as elbv2
+
+class MyALBStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define ALB with Load Balancer Attributes
+        alb = elbv2.CfnLoadBalancer(
+            self, 'MyALB',
+            name='my-alb',
+            type='application',
+            load_balancer_attributes=[
+                {
+                    'key': 'routing.http.drop_invalid_header_fields.enabled',
+                    'value': 'true'
+                }
+            ]
+            # Other properties for your ALB
+        )
+
+app = core.App()
+MyALBStack(app, "MyALBStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py b/cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py
@@ -0,0 +1,25 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticloadbalancingv2 as elbv2
+
+class MyListenerStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define HTTPS Redirect Listener
+        listener = elbv2.CfnListener(
+            self, 'MyHTTPSRedirectListener',
+            load_balancer_arn='your-load-balancer-arn',  # Replace with your ALB ARN
+            protocol='HTTP',
+            port=80,
+            default_actions=[{
+                'type': 'abc',
+                'redirectConfig': {
+                    'protocol': 'HTTP',
+                }
+            }]
+            # Other properties for your Redirect Listener
+        )
+
+app = core.App()
+MyListenerStack(app, "MyListenerStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py b/cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py
@@ -0,0 +1,43 @@
+from aws_cdk import core
+from aws_cdk import aws_elasticloadbalancingv2 as elbv2
+
+class MyListenerStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define HTTPS Listener
+        listener = elbv2.CfnListener(
+            self, 'MyHTTPSListener',
+            load_balancer_arn='your-load-balancer-arn',  # Replace with your ALB ARN
+            protocol='HTTPS',
+            # Other properties for your Listener
+        )
+
+app = core.App()
+MyListenerStack(app, "MyListenerStack")
+app.synth()
+
+
+class MyListenerStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define HTTPS Redirect Listener
+        listener = elbv2.CfnListener(
+            self, 'MyHTTPSRedirectListener',
+            load_balancer_arn='your-load-balancer-arn',  # Replace with your ALB ARN
+            protocol='HTTP',
+            port=80,
+            default_actions=[{
+                'type': 'redirect',
+                'redirectConfig': {
+                    'protocol': 'HTTPS',
+                }
+            }]
+            # Other properties for your Redirect Listener
+        )
+
+app = core.App()
+MyListenerStack(app, "MyListenerStack")
+app.synth()
+
diff --git a/cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py b/cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py
@@ -0,0 +1,19 @@
+from aws_cdk import core
+from aws_cdk import aws_rds as rds
+
+class MyDBClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define RDS Aurora Serverless DB cluster
+        my_db_cluster = rds.CfnDBCluster(
+            self, 'MyDBCluster',
+            engine='aurora',  # Change this to your desired engine type
+            engine_mode='serverless',
+            storage_encrypted=False,
+            # Other properties for your DB cluster
+        )
+
+app = core.App()
+MyDBClusterStack(app, "MyDBClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/AuroraEncryption/pass.py b/cdk_integration_tests/src/python/AuroraEncryption/pass.py
@@ -0,0 +1,19 @@
+from aws_cdk import core
+from aws_cdk import aws_rds as rds
+
+class MyDBClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define RDS Aurora Serverless DB cluster
+        my_db_cluster = rds.CfnDBCluster(
+            self, 'MyDBCluster',
+            engine='aurora',  # Change this to your desired engine type
+            engine_mode='serverless',
+            storage_encrypted=True,
+            # Other properties for your DB cluster
+        )
+
+app = core.App()
+MyDBClusterStack(app, "MyDBClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py
@@ -0,0 +1,21 @@
+from aws_cdk import core
+from aws_cdk import aws_ecs as ecs
+
+class MyECSClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define ECS Cluster with Cluster Settings
+        cluster = ecs.CfnCluster(
+            self, 'MyECSCluster',
+            cluster_name='my-ecs-cluster',
+            cluster_settings=[{
+                'name': 'containerInsights',
+                'value': 'disabled'
+            }]
+            # Other properties for your ECS Cluster
+        )
+
+app = core.App()
+MyECSClusterStack(app, "MyECSClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py
@@ -0,0 +1,21 @@
+from aws_cdk import core
+from aws_cdk import aws_ecs as ecs
+
+class MyECSClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define ECS Cluster with Cluster Settings
+        cluster = ecs.CfnCluster(
+            self, 'MyECSCluster',
+            cluster_name='my-ecs-cluster',
+            cluster_settings=[{
+                'name': 'containerInsights',
+                'value': 'enabled'
+            }]
+            # Other properties for your ECS Cluster
+        )
+
+app = core.App()
+MyECSClusterStack(app, "MyECSClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py b/cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py
@@ -0,0 +1,20 @@
+from aws_cdk import core
+from aws_cdk import aws_eks as eks
+
+class MyEKSClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define EKS Cluster with Encryption Configuration
+        cluster = eks.CfnCluster(
+            self, 'MyEKSCluster',
+            name='my-eks-cluster',
+            encryption_config=[{
+                'resources': ['abc']
+            }]
+            # Other properties for your EKS Cluster
+        )
+
+app = core.App()
+MyEKSClusterStack(app, "MyEKSClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py b/cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py
@@ -0,0 +1,20 @@
+from aws_cdk import core
+from aws_cdk import aws_eks as eks
+
+class MyEKSClusterStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define EKS Cluster with Encryption Configuration
+        cluster = eks.CfnCluster(
+            self, 'MyEKSCluster',
+            name='my-eks-cluster',
+            encryption_config=[{
+                'resources': ['secrets']
+            }]
+            # Other properties for your EKS Cluster
+        )
+
+app = core.App()
+MyEKSClusterStack(app, "MyEKSClusterStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py
@@ -0,0 +1,43 @@
+from aws_cdk import core
+from aws_cdk import aws_lambda as _lambda
+from aws_cdk import aws_sam as sam
+
+class MyLambdaFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define Lambda Function
+        my_lambda = _lambda.Function(
+            self, 'MyLambdaFunction',
+            runtime=_lambda.Runtime.PYTHON_3_8,
+            handler='index.handler',
+            code=_lambda.Code.from_asset('lambda'),  # Replace 'lambda' with your function code directory
+            environment={
+                'MY_VARIABLE': 'pass'
+            }
+        )
+
+app = core.App()
+MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
+app.synth()
+
+
+class MyServerlessFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define Serverless Lambda Function
+        my_lambda = sam.CfnFunction(
+            self, 'MyServerlessFunction',
+            code_uri='lambda/',  # Replace 'lambda/' with your function code directory
+            handler='index.handler',
+            runtime='python3.8',
+            environment={
+                'MY_VARIABLE': 'pass'
+            }
+            # Other properties for your Serverless Lambda Function
+        )
+
+app = core.App()
+MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py
@@ -0,0 +1,43 @@
+from aws_cdk import core
+from aws_cdk import aws_lambda as _lambda
+from aws_cdk import aws_sam as sam
+
+class MyLambdaFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define Lambda Function
+        my_lambda = _lambda.Function(
+            self, 'MyLambdaFunction',
+            runtime=_lambda.Runtime.PYTHON_3_8,
+            handler='index.handler',
+            code=_lambda.Code.from_asset('lambda'),  # Replace 'lambda' with your function code directory
+            environment={
+                'MY_VARIABLE': {'a':'b'}
+            }
+        )
+
+app = core.App()
+MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
+app.synth()
+
+
+class MyServerlessFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define Serverless Lambda Function
+        my_lambda = sam.CfnFunction(
+            self, 'MyServerlessFunction',
+            code_uri='lambda/',  # Replace 'lambda/' with your function code directory
+            handler='index.handler',
+            runtime='python3.8',
+            environment={
+                'MY_VARIABLE': {'a':'b'}
+            }
+            # Other properties for your Serverless Lambda Function
+        )
+
+app = core.App()
+MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
+app.synth()
diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py b/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py
@@ -0,0 +1,43 @@
+from aws_cdk import core
+from aws_cdk import aws_lambda as _lambda
+from aws_cdk import aws_sam as sam
+class MyLambdaFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define Lambda function
+        my_lambda_function = _lambda.Function(
+            self, 'MyLambdaFunction',
+            runtime=_lambda.Runtime.PYTHON_3_8,
+            handler='index.handler',
+            code=_lambda.Code.from_asset('path/to/your/function/code'),
+            environment={
+                'MY_VARIABLE_1': 'Value1',
+                'MY_VARIABLE_2': 'Value2'
+            },
+        )
+
+app = core.App()
+MyLambdaFunctionStack(app, "MyLambdaFunctionStack")
+app.synth()
+
+
+class MyServerlessFunctionStack(core.Stack):
+    def __init__(self, scope: core.Construct, id: str, **kwargs) -> None:
+        super().__init__(scope, id, **kwargs)
+
+        # Define SAM Function
+        my_sam_function = sam.CfnFunction(
+            self, 'MySAMFunction',
+            handler='index.handler',
+            runtime='python3.8',
+            code_uri='./path/to/your/function/code',
+            environment={
+                'MY_VARIABLE_1': 'Value1',
+                'MY_VARIABLE_2': 'Value2'
+            },
+        )
+
+app = core.App()
+MyServerlessFunctionStack(app, "MyServerlessFunctionStack")
+app.synth()