github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/digitalocean/spaces/acl_no_public_read.go (about) 1 package spaces 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckAclNoPublicRead = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-DIG-0006", 14 Provider: providers.DigitalOceanProvider, 15 Service: "spaces", 16 ShortCode: "acl-no-public-read", 17 Summary: "Spaces bucket or bucket object has public read acl set", 18 Impact: "The contents of the space can be accessed publicly", 19 Resolution: "Apply a more restrictive ACL", 20 Explanation: `Space bucket and bucket object permissions should be set to deny public access unless explicitly required.`, 21 Links: []string{ 22 "https://docs.digitalocean.com/reference/api/spaces-api/#access-control-lists-acls", 23 }, 24 Terraform: &scan.EngineMetadata{ 25 GoodExamples: terraformAclNoPublicReadGoodExamples, 26 BadExamples: terraformAclNoPublicReadBadExamples, 27 Links: terraformAclNoPublicReadLinks, 28 RemediationMarkdown: terraformAclNoPublicReadRemediationMarkdown, 29 }, 30 Severity: severity.Critical, 31 }, 32 func(s *state.State) (results scan.Results) { 33 for _, bucket := range s.DigitalOcean.Spaces.Buckets { 34 if bucket.Metadata.IsUnmanaged() { 35 continue 36 } 37 if bucket.ACL.EqualTo("public-read") { 38 results.Add( 39 "Bucket is publicly exposed.", 40 bucket.ACL, 41 ) 42 } else { 43 results.AddPassed(&bucket) 44 } 45 46 for _, object := range bucket.Objects { 47 if object.ACL.EqualTo("public-read") { 48 results.Add( 49 "Object is publicly exposed.", 50 object.ACL, 51 ) 52 } else { 53 results.AddPassed(&object) 54 } 55 } 56 } 57 return 58 }, 59 )