Skip to content

Commit

Permalink
SAAS-20313/Front-Door-Request-Body-Inspection
Browse files Browse the repository at this point in the history
  • Loading branch information
@alphadev4
alphadev4 committed Nov 22, 2023
1 parent e107f72 commit a6cf437
Show file tree
Hide file tree
Showing 3 changed files with 188 additions and 1 deletion.
4 changes: 3 additions & 1 deletion exports.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -989,7 +989,9 @@ module.exports = {
'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'),

'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'),
'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js')
'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'),
'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'),

},
github: {
'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'),
Expand Down
58 changes: 58 additions & 0 deletions plugins/azure/frontdoor/frontDoorRequestBodyInspection.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
const async = require('async');
const helpers = require('../../../helpers/azure');

module.exports = {
title: 'Front Door Request Body Inspection',
category: 'Front Door',
domain: 'Content Delivery',
description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.',
more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.',
recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.',
link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection',
apis: ['afdWafPolicies:listAll'],

run: function(cache, settings, callback) {
const results = [];
const source = {};
const locations = helpers.locations(settings.govcloud);

async.each(locations.afdWafPolicies, (location, rcb) => {

var afdWafPolicies = helpers.addSource(cache, source,
['afdWafPolicies', 'listAll', location]);

if (!afdWafPolicies) return rcb();

if (afdWafPolicies.err || !afdWafPolicies.data) {
helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location);
return rcb();
}
if (!afdWafPolicies.data.length) {
helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location);
return rcb();
}

var frontDoorWafPolicies = false;
for (let policy of afdWafPolicies.data) {
if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue;

frontDoorWafPolicies = true;
if (policy.policySettings &&
policy.policySettings.requestBodyCheck &&
policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') {
helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id);
} else {
helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id);
}
}

if (!frontDoorWafPolicies) {
helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location);
}

rcb();
}, function() {
callback(null, results, source);
});
}
};
127 changes: 127 additions & 0 deletions plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
var expect = require('chai').expect;
var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js');

const afdWafPolicies = [
{
"id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"name": "testpolicy2",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": null,
"customBlockResponseStatusCode": 403,
"customBlockResponseBody": null,
"requestBodyCheck": "Disabled"
},
},
{
"id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"name": "testpolicy1",
"sku": {
"name": "Premium_AzureFrontDoor"
},
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": null,
"customBlockResponseStatusCode": 403,
"customBlockResponseBody": null,
"requestBodyCheck": "Enabled"
},

},
{
"id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
"name": "testpolicy1",
"sku": {
"name": "classic"
},
"policySettings": {
"enabledState": "Enabled",
"mode": "Prevention",
"redirectUrl": null,
"customBlockResponseStatusCode": 403,
"customBlockResponseBody": null,
"requestBodyCheck": "Enabled"
},

},
];

const createCache = (afdWafPolicies) => {
return {
afdWafPolicies: {
listAll: {
'global': {
data: afdWafPolicies
}
}
}
};
};

const createErrorCache = () => {
return {
afdWafPolicies: {
listAll: {
'global': {
err: 'Unable to query'
}
}
}
};
};
describe('frontDoorRequestBodyInspection', function () {
describe('run', function () {

it('should give pass result if request body inspection is enabled for front door waf policy', function (done) {
const cache = createCache([afdWafPolicies[1]]);
frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled');
expect(results[0].region).to.equal('global');
done();
});
});

it('should give pass result if no existing front door waf policy found', function (done) {
const cache = createCache([afdWafPolicies[2]]);
frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].message).to.include('No existing Front Door WAF policies found');
expect(results[0].region).to.equal('global');
done();
});
});

it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) {
const cache = createCache([afdWafPolicies[0]]);
frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled');
expect(results[0].region).to.equal('global');
done();
});
});

it('should give unknown result if unable to query for front door WAF policies', function (done) {
const cache = createErrorCache();
frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].message).to.include('Unable to query for Front Door WAF policies:');
expect(results[0].region).to.equal('global');
done();
});
});
});
});

0 comments on commit a6cf437

Please sign in to comment.