From a6cf4373098d83f4ed2386dd732aa017ececbc95 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Wed, 22 Nov 2023 23:31:07 +0500 Subject: [PATCH 1/6] SAAS-20313/Front-Door-Request-Body-Inspection --- exports.js | 4 +- .../frontDoorRequestBodyInspection.js | 58 ++++++++ .../frontDoorRequestBodyInspection.spec.js | 127 ++++++++++++++++++ 3 files changed, 188 insertions(+), 1 deletion(-) create mode 100644 plugins/azure/frontdoor/frontDoorRequestBodyInspection.js create mode 100644 plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js diff --git a/exports.js b/exports.js index 53c1523d03..a599fab287 100644 --- a/exports.js +++ b/exports.js @@ -989,7 +989,9 @@ module.exports = { 'eventHubMinimumTLSversion' : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'), 'accessLogsEnabled' : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'), - 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js') + 'frontDoorMinimumTlsVersion' : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'), + 'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'), + }, github: { 'publicKeysRotated' : require(__dirname + '/plugins/github/users/publicKeysRotated.js'), diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js new file mode 100644 index 0000000000..28955459ab --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -0,0 +1,58 @@ +const async = require('async'); +const helpers = require('../../../helpers/azure'); + +module.exports = { + title: 'Front Door Request Body Inspection', + category: 'Front Door', + domain: 'Content Delivery', + description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.', + more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.', + link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', + apis: ['afdWafPolicies:listAll'], + + run: function(cache, settings, callback) { + const results = []; + const source = {}; + const locations = helpers.locations(settings.govcloud); + + async.each(locations.afdWafPolicies, (location, rcb) => { + + var afdWafPolicies = helpers.addSource(cache, source, + ['afdWafPolicies', 'listAll', location]); + + if (!afdWafPolicies) return rcb(); + + if (afdWafPolicies.err || !afdWafPolicies.data) { + helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location); + return rcb(); + } + if (!afdWafPolicies.data.length) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + return rcb(); + } + + var frontDoorWafPolicies = false; + for (let policy of afdWafPolicies.data) { + if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; + + frontDoorWafPolicies = true; + if (policy.policySettings && + policy.policySettings.requestBodyCheck && + policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') { + helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id); + } else { + helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id); + } + } + + if (!frontDoorWafPolicies) { + helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); + } + + rcb(); + }, function() { + callback(null, results, source); + }); + } +}; \ No newline at end of file diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js new file mode 100644 index 0000000000..a22415c97c --- /dev/null +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js @@ -0,0 +1,127 @@ +var expect = require('chai').expect; +var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js'); + +const afdWafPolicies = [ + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy2", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Disabled" + }, + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "Premium_AzureFrontDoor" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, + { + "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2", + "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies", + "name": "testpolicy1", + "sku": { + "name": "classic" + }, + "policySettings": { + "enabledState": "Enabled", + "mode": "Prevention", + "redirectUrl": null, + "customBlockResponseStatusCode": 403, + "customBlockResponseBody": null, + "requestBodyCheck": "Enabled" + }, + + }, +]; + +const createCache = (afdWafPolicies) => { + return { + afdWafPolicies: { + listAll: { + 'global': { + data: afdWafPolicies + } + } + } + }; +}; + +const createErrorCache = () => { + return { + afdWafPolicies: { + listAll: { + 'global': { + err: 'Unable to query' + } + } + } + }; +}; +describe('frontDoorRequestBodyInspection', function () { + describe('run', function () { + + it('should give pass result if request body inspection is enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[1]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give pass result if no existing front door waf policy found', function (done) { + const cache = createCache([afdWafPolicies[2]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(0); + expect(results[0].message).to.include('No existing Front Door WAF policies found'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) { + const cache = createCache([afdWafPolicies[0]]); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(2); + expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + + it('should give unknown result if unable to query for front door WAF policies', function (done) { + const cache = createErrorCache(); + frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { + expect(results.length).to.equal(1); + expect(results[0].status).to.equal(3); + expect(results[0].message).to.include('Unable to query for Front Door WAF policies:'); + expect(results[0].region).to.equal('global'); + done(); + }); + }); + }); +}); \ No newline at end of file From ffa7ecf75a00eb3cc714de2e7ed505dbf0a42975 Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:47:00 +0500 Subject: [PATCH 2/6] Apply suggestions from code review --- .../frontdoor/frontDoorRequestBodyInspection.js | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index 28955459ab..5175a83d21 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -5,9 +5,9 @@ module.exports = { title: 'Front Door Request Body Inspection', category: 'Front Door', domain: 'Content Delivery', - description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.', - more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', - recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.', + description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.', + more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', apis: ['afdWafPolicies:listAll'], @@ -34,9 +34,8 @@ module.exports = { var frontDoorWafPolicies = false; for (let policy of afdWafPolicies.data) { - if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue; + if (!policy.id) continue; - frontDoorWafPolicies = true; if (policy.policySettings && policy.policySettings.requestBodyCheck && policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') { @@ -46,10 +45,6 @@ module.exports = { } } - if (!frontDoorWafPolicies) { - helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location); - } - rcb(); }, function() { callback(null, results, source); From 9a14be78c8e8413c1cc0e3bc6baaf78b63d5feed Mon Sep 17 00:00:00 2001 From: alphadev4 <113519745+alphadev4@users.noreply.github.com> Date: Wed, 29 Nov 2023 17:47:10 +0500 Subject: [PATCH 3/6] Update plugins/azure/frontdoor/frontDoorRequestBodyInspection.js --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.js | 1 - 1 file changed, 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index 5175a83d21..bf1f5ba1b7 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -32,7 +32,6 @@ module.exports = { return rcb(); } - var frontDoorWafPolicies = false; for (let policy of afdWafPolicies.data) { if (!policy.id) continue; From 700f313419dcfb911308d6d936d01e11bca3392e Mon Sep 17 00:00:00 2001 From: mehakseedat63 <87388442+mehakseedat63@users.noreply.github.com> Date: Fri, 1 Dec 2023 03:12:49 +0500 Subject: [PATCH 4/6] Update plugins/azure/frontdoor/frontDoorRequestBodyInspection.js --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js index bf1f5ba1b7..bd733bce74 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js @@ -6,7 +6,7 @@ module.exports = { category: 'Front Door', domain: 'Content Delivery', description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.', - more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', + more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled allow to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.', recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.', link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection', apis: ['afdWafPolicies:listAll'], From 655c0bacb70717ecf48c8fdeb21b865127eda283 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:36:16 +0500 Subject: [PATCH 5/6] Rebased --- helpers/azure/api.js | 1 + helpers/azure/locations.js | 1 + 2 files changed, 2 insertions(+) diff --git a/helpers/azure/api.js b/helpers/azure/api.js index 188f8ff1c7..fb22b58901 100644 --- a/helpers/azure/api.js +++ b/helpers/azure/api.js @@ -945,6 +945,7 @@ var postcalls = { } } + }; var tertiarycalls = { diff --git a/helpers/azure/locations.js b/helpers/azure/locations.js index 7ccb206469..b1e8440193 100644 --- a/helpers/azure/locations.js +++ b/helpers/azure/locations.js @@ -122,4 +122,5 @@ module.exports = { serviceBus: locations, classicFrontDoors: ['global'], afdWafPolicies: ['global'] + }; From 8550edf7058a7735dfb2386b90d460a21c501f78 Mon Sep 17 00:00:00 2001 From: alphadev4 Date: Tue, 5 Dec 2023 19:39:15 +0500 Subject: [PATCH 6/6] testcase --- plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js index a22415c97c..d6f2adcf1c 100644 --- a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js +++ b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js @@ -92,7 +92,7 @@ describe('frontDoorRequestBodyInspection', function () { }); it('should give pass result if no existing front door waf policy found', function (done) { - const cache = createCache([afdWafPolicies[2]]); + const cache = createCache([]); frontDoorRequestBodyInspection.run(cache, {}, (err, results) => { expect(results.length).to.equal(1); expect(results[0].status).to.equal(0);