github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/elb/loadbalancer.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloudformation/aws/elb/loadbalancer.go (about)

     1  package elb
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/elb"
     5  	"github.com/khulnasoft-lab/defsec/pkg/scanners/cloudformation/parser"
     6  	"github.com/khulnasoft-lab/defsec/pkg/types"
     7  )
     8  
     9  func getLoadBalancers(ctx parser.FileContext) (loadbalancers []elb.LoadBalancer) {
    10  
    11  	loadBalanacerResources := ctx.GetResourcesByType("AWS::ElasticLoadBalancingV2::LoadBalancer")
    12  
    13  	for _, r := range loadBalanacerResources {
    14  		lb := elb.LoadBalancer{
    15  			Metadata:                r.Metadata(),
    16  			Type:                    r.GetStringProperty("Type", "application"),
    17  			DropInvalidHeaderFields: checkForDropInvalidHeaders(r),
    18  			Internal:                isInternal(r),
    19  			Listeners:               getListeners(r, ctx),
    20  		}
    21  		loadbalancers = append(loadbalancers, lb)
    22  	}
    23  
    24  	return loadbalancers
    25  }
    26  
    27  func getListeners(lbr *parser.Resource, ctx parser.FileContext) (listeners []elb.Listener) {
    28  
    29  	listenerResources := ctx.GetResourcesByType("AWS::ElasticLoadBalancingV2::Listener")
    30  
    31  	for _, r := range listenerResources {
    32  		if r.GetStringProperty("LoadBalancerArn").Value() == lbr.ID() {
    33  			listener := elb.Listener{
    34  				Metadata:       r.Metadata(),
    35  				Protocol:       r.GetStringProperty("Protocol", "HTTP"),
    36  				TLSPolicy:      r.GetStringProperty("SslPolicy", ""),
    37  				DefaultActions: getDefaultListenerActions(r),
    38  			}
    39  
    40  			listeners = append(listeners, listener)
    41  		}
    42  	}
    43  	return listeners
    44  }
    45  
    46  func getDefaultListenerActions(r *parser.Resource) (actions []elb.Action) {
    47  	defaultActionsProp := r.GetProperty("DefaultActions")
    48  	if defaultActionsProp.IsNotList() {
    49  		return actions
    50  	}
    51  	for _, action := range defaultActionsProp.AsList() {
    52  		actions = append(actions, elb.Action{
    53  			Metadata: action.Metadata(),
    54  			Type:     action.GetProperty("Type").AsStringValue(),
    55  		})
    56  	}
    57  	return actions
    58  }
    59  
    60  func isInternal(r *parser.Resource) types.BoolValue {
    61  	schemeProp := r.GetProperty("Scheme")
    62  	if schemeProp.IsNotString() {
    63  		return r.BoolDefault(false)
    64  	}
    65  	return types.Bool(schemeProp.EqualTo("internal", parser.IgnoreCase), schemeProp.Metadata())
    66  }
    67  
    68  func checkForDropInvalidHeaders(r *parser.Resource) types.BoolValue {
    69  	attributesProp := r.GetProperty("LoadBalancerAttributes")
    70  	if attributesProp.IsNotList() {
    71  		return types.BoolDefault(false, r.Metadata())
    72  	}
    73  
    74  	for _, attr := range attributesProp.AsList() {
    75  		if attr.IsNotMap() {
    76  			continue
    77  		}
    78  
    79  		if attr.AsMap()["Key"].AsString() == "routing.http.drop_invalid_header_fields.enabled" {
    80  			val := attr.AsMap()["Value"]
    81  			if val.IsBool() {
    82  				return val.AsBoolValue()
    83  			}
    84  
    85  		}
    86  	}
    87  
    88  	return r.BoolDefault(false)
    89  }