github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/dns/remove_verified_record.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/nifcloud/dns/remove_verified_record.go (about)

     1  package dns
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/nifcloud/dns"
     5  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     6  
     7  	"github.com/khulnasoft-lab/defsec/pkg/state"
     8  
     9  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    10  
    11  	"github.com/khulnasoft-lab/defsec/internal/rules"
    12  
    13  	"github.com/khulnasoft-lab/defsec/pkg/providers"
    14  )
    15  
    16  var CheckRemoveVerifiedRecord = rules.Register(
    17  	scan.Rule{
    18  		AVDID:      "AVD-NIF-0007",
    19  		Provider:   providers.NifcloudProvider,
    20  		Service:    "dns",
    21  		ShortCode:  "remove-verified-record",
    22  		Summary:    "Delete verified record",
    23  		Impact:     "Risk of DNS records be used by others",
    24  		Resolution: "Remove verified record",
    25  		Explanation: `
    26  Removing verified record of TXT auth the risk that 
    27  If the authentication record remains, anyone can register the zone`,
    28  		Links: []string{
    29  			"https://pfs.nifcloud.com/guide/dns/zone_new.htm",
    30  		},
    31  		Severity: severity.Critical,
    32  	},
    33  	func(s *state.State) (results scan.Results) {
    34  		for _, record := range s.Nifcloud.DNS.Records {
    35  			if record.Type.EqualTo("TXT") && record.Record.StartsWith(dns.ZoneRegistrationAuthTxt) {
    36  				results.Add("Authentication TXT record exists.", &record)
    37  			} else {
    38  				results.AddPassed(&record)
    39  			}
    40  		}
    41  		return
    42  	},
    43  )