Merge pull request #14 from liamg/liamg-allow-http-redirects-to-https

Allow HTTP alb when redirecting to HTTPS
aquasecurity · Oct 30, 2019 · 3080712 · 3080712
2 parents 2bf4caf + d757375
commit 3080712
Show file tree

Hide file tree

Showing 30 changed files with 265 additions and 215 deletions.
diff --git a/cmd/tfsec/main.go b/cmd/tfsec/main.go
@@ -83,9 +83,6 @@ var rootCmd = &cobra.Command{
 
 // highlight the lines of code which caused a problem, if available
 func highlightCode(result checks.Result) {
-	if result.Range.NonSpecific {
-		return
-	}
 
 	data, err := ioutil.ReadFile(result.Range.Filename)
 	if err != nil {

diff --git a/internal/app/tfsec/aws_acl_test.go b/internal/app/tfsec/aws_acl_test.go
@@ -9,52 +9,51 @@ import (
 func Test_AWSACL(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
 			name: "check aws_s3_bucket with acl=public-read",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
 	acl = "public-read"
-	logging = {}
+	logging {}
 }`,
-			expectedResultCode: checks.AWSBadBucketACL,
+			mustIncludeResultCode: checks.AWSBadBucketACL,
 		},
 		{
 			name: "check aws_s3_bucket with acl=public-read-write",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
 	acl = "public-read-write"
-	logging = {}
+	logging {}
 }`,
-			expectedResultCode: checks.AWSBadBucketACL,
+			mustIncludeResultCode: checks.AWSBadBucketACL,
 		},
 		{
 			name: "check aws_s3_bucket with acl=website",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
 	acl = "website"
-	logging = {}
 }`,
-			expectedResultCode: checks.AWSBadBucketACL,
+			mustIncludeResultCode: checks.AWSBadBucketACL,
 		},
 		{
 			name: "check aws_s3_bucket with acl=private",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
 	acl = "private"
-	logging = {}
 }`,
-			expectedResultCode: checks.None,
+			mustExcludeResultCode: checks.AWSBadBucketACL,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}
 

diff --git a/internal/app/tfsec/aws_bucket_logging_test.go b/internal/app/tfsec/aws_bucket_logging_test.go
@@ -9,34 +9,35 @@ import (
 func Test_AWSBucketLogging(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
 			name: "check bucket with logging disabled",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
 	
 }`,
-			expectedResultCode: checks.AWSNoBucketLogging,
+			mustIncludeResultCode: checks.AWSNoBucketLogging,
 		},
 		{
 			name: "check bucket with logging enabled",
 			source: `
 resource "aws_s3_bucket" "my-bucket" {
-	logging = {
+	logging {
 		target_bucket = "target-bucket"
 	}
 }`,
-			expectedResultCode: checks.None,
+			mustExcludeResultCode: checks.AWSNoBucketLogging,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}
 

diff --git a/internal/app/tfsec/aws_classic_test.go b/internal/app/tfsec/aws_classic_test.go
@@ -9,36 +9,37 @@ import (
 func Test_AWSClassicUsage(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
-			name:               "check aws_db_security_group",
-			source:             `resource "aws_db_security_group" "my-group" {}`,
-			expectedResultCode: checks.AWSClassicUsage,
+			name:                  "check aws_db_security_group",
+			source:                `resource "aws_db_security_group" "my-group" {}`,
+			mustIncludeResultCode: checks.AWSClassicUsage,
 		},
 		{
-			name:               "check aws_redshift_security_group",
-			source:             `resource "aws_redshift_security_group" "my-group" {}`,
-			expectedResultCode: checks.AWSClassicUsage,
+			name:                  "check aws_redshift_security_group",
+			source:                `resource "aws_redshift_security_group" "my-group" {}`,
+			mustIncludeResultCode: checks.AWSClassicUsage,
 		},
 		{
-			name:               "check aws_elasticache_security_group",
-			source:             `resource "aws_elasticache_security_group" "my-group" {}`,
-			expectedResultCode: checks.AWSClassicUsage,
+			name:                  "check aws_elasticache_security_group",
+			source:                `resource "aws_elasticache_security_group" "my-group" {}`,
+			mustIncludeResultCode: checks.AWSClassicUsage,
 		},
 		{
-			name:               "check for false positives",
-			source:             `resource "my_resource" "my-resource" {}`,
-			expectedResultCode: checks.None,
+			name:                  "check for false positives",
+			source:                `resource "my_resource" "my-resource" {}`,
+			mustExcludeResultCode: checks.AWSClassicUsage,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}
 

diff --git a/internal/app/tfsec/aws_http_test.go b/internal/app/tfsec/aws_http_test.go
@@ -9,39 +9,57 @@ import (
 func Test_AWSPlainHTTP(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
 			name: "check aws_alb_listener using plain HTTP",
 			source: `
 resource "aws_alb_listener" "my-listener" {
 	protocol = "HTTP"
 }`,
-			expectedResultCode: checks.AWSPlainHTTP,
+			mustIncludeResultCode: checks.AWSPlainHTTP,
 		},
 		{
 			name: "check aws_alb_listener using plain HTTP (via non specification)",
 			source: `
 resource "aws_alb_listener" "my-listener" {
 }`,
-			expectedResultCode: checks.AWSPlainHTTP,
+			mustIncludeResultCode: checks.AWSPlainHTTP,
 		},
 		{
 			name: "check aws_alb_listener using HTTPS",
 			source: `
 resource "aws_alb_listener" "my-listener" {
 	protocol = "HTTPS"
 }`,
-			expectedResultCode: checks.None,
+			mustExcludeResultCode: checks.AWSPlainHTTP,
+		},
+		{
+			name: "check aws_alb_listener using HTTP as redirect to HTTPS",
+			source: `
+resource "aws_alb_listener" "my-listener" {
+	protocol = "HTTP"
+	default_action {
+		type = "redirect"
+
+		redirect {
+			port        = "443"
+			protocol    = "HTTPS"
+			status_code = "HTTP_301"
+		}
+	}
+}`,
+			mustExcludeResultCode: checks.AWSPlainHTTP,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}
 

diff --git a/internal/app/tfsec/aws_not_internal_test.go b/internal/app/tfsec/aws_not_internal_test.go
@@ -9,55 +9,56 @@ import (
 func Test_AWSNotInternal(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
 			name: "check aws_alb when not internal",
 			source: `
 resource "aws_alb" "my-resource" {
 	internal = false
 }`,
-			expectedResultCode: checks.AWSExternallyExposedLoadBalancer,
+			mustIncludeResultCode: checks.AWSExternallyExposedLoadBalancer,
 		},
 		{
 			name: "check aws_elb when not internal",
 			source: `
 resource "aws_elb" "my-resource" {
 	internal = false
 }`,
-			expectedResultCode: checks.AWSExternallyExposedLoadBalancer,
+			mustIncludeResultCode: checks.AWSExternallyExposedLoadBalancer,
 		},
 		{
 			name: "check aws_lb when not internal",
 			source: `
 resource "aws_lb" "my-resource" {
 	internal = false
 }`,
-			expectedResultCode: checks.AWSExternallyExposedLoadBalancer,
+			mustIncludeResultCode: checks.AWSExternallyExposedLoadBalancer,
 		},
 		{
 			name: "check aws_lb when not explicitly marked as internal",
 			source: `
 resource "aws_lb" "my-resource" {
 }`,
-			expectedResultCode: checks.AWSExternallyExposedLoadBalancer,
+			mustIncludeResultCode: checks.AWSExternallyExposedLoadBalancer,
 		},
 		{
 			name: "check aws_lb when explicitly marked as internal",
 			source: `
 resource "aws_lb" "my-resource" {
 	internal = true
 }`,
-			expectedResultCode: checks.None,
+			mustExcludeResultCode: checks.AWSExternallyExposedLoadBalancer,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}
 

diff --git a/internal/app/tfsec/aws_open_security_group_rule_test.go b/internal/app/tfsec/aws_open_security_group_rule_test.go
@@ -9,9 +9,10 @@ import (
 func Test_AWSOpenSecurityGroupRule(t *testing.T) {
 
 	var tests = []struct {
-		name               string
-		source             string
-		expectedResultCode checks.Code
+		name                  string
+		source                string
+		mustIncludeResultCode checks.Code
+		mustExcludeResultCode checks.Code
 	}{
 		{
 			name: "check aws_security_group_rule ingress on 0.0.0.0/0",
@@ -20,7 +21,7 @@ resource "aws_security_group_rule" "my-rule" {
 	type = "ingress"
 	cidr_blocks = ["0.0.0.0/0"]
 }`,
-			expectedResultCode: checks.AWSOpenIngressSecurityGroupRule,
+			mustIncludeResultCode: checks.AWSOpenIngressSecurityGroupRule,
 		},
 		{
 			name: "check aws_security_group_rule egress on 0.0.0.0/0",
@@ -29,7 +30,7 @@ resource "aws_security_group_rule" "my-rule" {
 	type = "egress"
 	cidr_blocks = ["0.0.0.0/0"]
 }`,
-			expectedResultCode: checks.AWSOpenEgressSecurityGroupRule,
+			mustIncludeResultCode: checks.AWSOpenEgressSecurityGroupRule,
 		},
 		{
 			name: "check aws_security_group_rule egress on 0.0.0.0/0 in list",
@@ -38,7 +39,7 @@ resource "aws_security_group_rule" "my-rule" {
 	type = "egress"
 	cidr_blocks = ["10.0.0.0/16", "0.0.0.0/0"]
 }`,
-			expectedResultCode: checks.AWSOpenEgressSecurityGroupRule,
+			mustIncludeResultCode: checks.AWSOpenEgressSecurityGroupRule,
 		},
 		{
 			name: "check aws_security_group_rule egress on 10.0.0.0/16",
@@ -47,14 +48,14 @@ resource "aws_security_group_rule" "my-rule" {
 	type = "egress"
 	cidr_blocks = ["10.0.0.0/16"]
 }`,
-			expectedResultCode: checks.None,
+			mustExcludeResultCode: checks.AWSOpenEgressSecurityGroupRule,
 		},
 	}
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			results := scanSource(test.source)
-			assertCheckCodeExists(t, test.expectedResultCode, results)
+			assertCheckCode(t, test.mustIncludeResultCode, test.mustExcludeResultCode, results)
 		})
 	}