github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ssm/avoid_leaks_via_http.go (about) 1 package ssm 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/terraform" 9 ) 10 11 var AvoidLeaksViaHTTP = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0134", 14 Provider: providers.AWSProvider, 15 Service: "ssm", 16 ShortCode: "avoid-leaks-via-http", 17 Summary: "Secrets should not be exfiltrated using Terraform HTTP data blocks", 18 Impact: "Secrets could be exposed outside of the organisation.", 19 Resolution: "Remove this potential exfiltration HTTP request.", 20 Explanation: `The data.http block can be used to send secret data outside of the organisation.`, 21 Links: []string{ 22 "https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformAvoidLeaksViaHTTPGoodExamples, 26 BadExamples: terraformAvoidLeaksViaHTTPBadExamples, 27 Links: terraformAvoidLeaksViaHTTPLinks, 28 RemediationMarkdown: terraformAvoidLeaksViaHTTPRemediationMarkdown, 29 }, 30 CustomChecks: scan.CustomChecks{ 31 Terraform: &scan.TerraformCustomCheck{ 32 RequiredTypes: []string{"data"}, 33 RequiredLabels: []string{"http"}, 34 Check: func(block *terraform.Block, module *terraform.Module) (results scan.Results) { 35 attr := block.GetAttribute("url") 36 if attr.IsNil() { 37 return 38 } 39 for _, ref := range attr.AllReferences() { 40 if ref.BlockType().Name() == "resource" && ref.TypeLabel() == "aws_ssm_parameter" { 41 results.Add("Potential exfiltration of secret value detected", block) 42 } 43 } 44 return 45 }, 46 }, 47 }, 48 Severity: severity.Critical, 49 }, 50 nil, 51 )