github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/drop_invalid_headers.go (about) 1 package elb 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/elb" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckDropInvalidHeaders = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0052", 15 Provider: providers.AWSProvider, 16 Service: "elb", 17 ShortCode: "drop-invalid-headers", 18 Summary: "Load balancers should drop invalid headers", 19 Impact: "Invalid headers being passed through to the target of the load balance may exploit vulnerabilities", 20 Resolution: "Set drop_invalid_header_fields to true", 21 Explanation: `Passing unknown or invalid headers through to the target poses a potential risk of compromise. 22 23 By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer.`, 24 Links: []string{ 25 "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html", 26 }, 27 Terraform: &scan.EngineMetadata{ 28 GoodExamples: terraformDropInvalidHeadersGoodExamples, 29 BadExamples: terraformDropInvalidHeadersBadExamples, 30 Links: terraformDropInvalidHeadersLinks, 31 RemediationMarkdown: terraformDropInvalidHeadersRemediationMarkdown, 32 }, 33 Severity: severity.High, 34 }, 35 func(s *state.State) (results scan.Results) { 36 for _, lb := range s.AWS.ELB.LoadBalancers { 37 if lb.Metadata.IsUnmanaged() || !lb.Type.EqualTo(elb.TypeApplication) || lb.Metadata.IsUnmanaged() { 38 continue 39 } 40 if lb.DropInvalidHeaderFields.IsFalse() { 41 results.Add( 42 "Application load balancer is not set to drop invalid headers.", 43 lb.DropInvalidHeaderFields, 44 ) 45 } else { 46 results.AddPassed(&lb) 47 } 48 } 49 return 50 }, 51 )