aquasecurity · mehakseedat63 · Dec 5, 2023 · Nov 22, 2023 · Nov 29, 2023 · Nov 29, 2023
diff --git a/exports.js b/exports.js
@@ -989,7 +989,9 @@ module.exports = {
         'eventHubMinimumTLSversion'     : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'),
 
         'accessLogsEnabled'             : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'),
-        'frontDoorMinimumTlsVersion'    : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js')
+        'frontDoorMinimumTlsVersion'    : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'),
+        'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'),
+
     },
     github: {
         'publicKeysRotated'             : require(__dirname + '/plugins/github/users/publicKeysRotated.js'),

diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js
@@ -0,0 +1,52 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Front Door Request Body Inspection',
+    category: 'Front Door',
+    domain: 'Content Delivery',
+    description: 'Ensures that request body inspection is enabled for Azure Front Door WAF policy.',
+    more_info: 'Web Application Firewalls associated to Azure Front Doors that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.',
+    recommended_action: 'Modify Front Door WAF policy and enable request body inspection in policy settings.',
+    link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection',
+    apis: ['afdWafPolicies:listAll'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.afdWafPolicies, (location, rcb) => {
+
+            var afdWafPolicies = helpers.addSource(cache, source,
+                ['afdWafPolicies', 'listAll', location]);
+
+            if (!afdWafPolicies) return rcb();
+
+            if (afdWafPolicies.err || !afdWafPolicies.data) {
+                helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location);
+                return rcb();
+            }
+            if (!afdWafPolicies.data.length) {
+                helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location);
+                return rcb();
+            }
+
+            for (let policy of afdWafPolicies.data) {
+                if (!policy.id) continue;
+
+                if (policy.policySettings && 
+                    policy.policySettings.requestBodyCheck && 
+                    policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') {
+                    helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id);
+                } else {
+                    helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js
@@ -0,0 +1,127 @@
+var expect = require('chai').expect;
+var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js');
+
+const afdWafPolicies = [
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy2",
+        "sku": {
+          "name": "Premium_AzureFrontDoor"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Disabled"
+          },
+    },
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy1",
+        "sku": {
+          "name": "Premium_AzureFrontDoor"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Enabled"
+          },
+
+    },
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy1",
+        "sku": {
+          "name": "classic"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Enabled"
+          },
+
+    },
+];
+
+const createCache = (afdWafPolicies) => {
+    return {
+        afdWafPolicies: {
+            listAll: {
+                'global': {
+                    data: afdWafPolicies
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        afdWafPolicies: {
+            listAll: {
+                'global': {
+                    err: 'Unable to query'
+                }
+            }
+        }
+    };
+};
+describe('frontDoorRequestBodyInspection', function () {
+    describe('run', function () {
+
+        it('should give pass result if request body inspection is enabled for front door waf policy', function (done) {
+            const cache = createCache([afdWafPolicies[1]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give pass result if no existing front door waf policy found', function (done) {
+            const cache = createCache([afdWafPolicies[2]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Front Door WAF policies found');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) {
+            const cache = createCache([afdWafPolicies[0]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for front door WAF policies', function (done) {
+            const cache = createErrorCache();
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Front Door WAF policies:');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+    });
+});