diff --git a/exports.js b/exports.js index 84306c47bc..86e6a6c7a0 100644 --- a/exports.js +++ b/exports.js @@ -992,6 +992,7 @@ module.exports = { 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), 'frontDoorWafEnabled' : require(__dirname + '/plugins/azure/frontdoor/frontDoorWafEnabled.js'), 'frontDoorHttpsOnly' : require(__dirname + '/plugins/azure/frontdoor/frontDoorHttpsOnly.js'), 'botProtectionEnabled' : require(__dirname + '/plugins/azure/frontdoor/botProtectionEnabled.js'), diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 188f8ff1c7..fb22b58901 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -945,6 +945,7 @@ var postcalls = { } } + }; var tertiarycalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 7ccb206469..b1e8440193 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -122,4 +122,5 @@ module.exports = { serviceBus: locations, classicFrontDoors: ['global'], afdWafPolicies: ['global'] + }; diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js new file mode 100644 index 0000000000..bd733bce74 --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -0,0 +1,52 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door Request Body Inspection', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.', + more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled allow to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.afdWafPolicies, (location, rcb) => { + + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + for (let policy of afdWafPolicies.data) { + if (!policy.id) continue; + + if (policy.policySettings && + policy.policySettings.requestBodyCheck && + policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id); + } else { + helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id); + } + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js new file mode 100644 index 0000000000..d6f2adcf1c --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js @@ -0,0 +1,127 @@ +var expect = require('chai').expect; +var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Disabled" + }, + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "classic" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': { + err: 'Unable to query' + } + } + } + }; +}; +describe('frontDoorRequestBodyInspection', function () { + describe('run', function () { + + it('should give pass result if request body inspection is enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[1]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door waf policy found', function (done) { + const cache = createCache([]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[0]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if unable to query for front door WAF policies', function (done) { + const cache = createErrorCache(); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); +}); \ No newline at end of file