aquasecurity · mehakseedat63 · Dec 5, 2023 · Nov 22, 2023 · Nov 29, 2023 · Nov 29, 2023
diff --git a/exports.js b/exports.js
@@ -989,7 +989,9 @@ module.exports = {
         'eventHubMinimumTLSversion'     : require(__dirname + '/plugins/azure/eventhub/eventHubMinimumTLSversion.js'),
 
         'accessLogsEnabled'             : require(__dirname + '/plugins/azure/frontdoor/accessLogsEnabled.js'),
-        'frontDoorMinimumTlsVersion'    : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js')
+        'frontDoorMinimumTlsVersion'    : require(__dirname + '/plugins/azure/frontdoor/frontDoorMinimumTlsVersion.js'),
+        'frontDoorRequestBodyInspection': require(__dirname + '/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js'),
+
     },
     github: {
         'publicKeysRotated'             : require(__dirname + '/plugins/github/users/publicKeysRotated.js'),

diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.js
@@ -0,0 +1,58 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Front Door Request Body Inspection',
+    category: 'Front Door',
+    domain: 'Content Delivery',
+    description: 'Ensures that request body inspection is enabled for Azure Front Door premium WAF policy.',
+    more_info: 'Web Application Firewalls associated to Azure Front Doors premium that have request body inspection enabled, allows to inspect properties within the HTTP body that may not be evaluated in the HTTP headers, cookies, or URI.',
+    recommended_action: 'Ensure that request body inspection in policy settings for Azure Front Door WAF policy is enabled.',
+    link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits#request-body-inspection',
+    apis: ['afdWafPolicies:listAll'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.afdWafPolicies, (location, rcb) => {
+
+            var afdWafPolicies = helpers.addSource(cache, source,
+                ['afdWafPolicies', 'listAll', location]);
+
+            if (!afdWafPolicies) return rcb();
+
+            if (afdWafPolicies.err || !afdWafPolicies.data) {
+                helpers.addResult(results, 3, 'Unable to query for Front Door WAF policies: ' + helpers.addError(afdWafPolicies), location);
+                return rcb();
+            }
+            if (!afdWafPolicies.data.length) {
+                helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location);
+                return rcb();
+            }
+
+            var frontDoorWafPolicies = false;
+            for (let policy of afdWafPolicies.data) {
+                if (!policy.id || !policy.sku || policy.sku.name.toLowerCase() != 'premium_azurefrontdoor') continue;
+
+                frontDoorWafPolicies = true;
+                if (policy.policySettings && 
+                    policy.policySettings.requestBodyCheck && 
+                    policy.policySettings.requestBodyCheck.toLowerCase() == 'enabled') {
+                    helpers.addResult(results, 0, 'Front Door WAF policy has request body inspection enabled', location, policy.id);
+                } else {
+                    helpers.addResult(results, 2, 'Front Door WAF policy does not have request body inspection enabled', location, policy.id);
+                }
+            }
+
+            if (!frontDoorWafPolicies) {
+                helpers.addResult(results, 0, 'No existing Front Door WAF policies found', location);
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js b/plugins/azure/frontdoor/frontDoorRequestBodyInspection.spec.js
@@ -0,0 +1,127 @@
+var expect = require('chai').expect;
+var frontDoorRequestBodyInspection = require('./frontDoorRequestBodyInspection.js');
+
+const afdWafPolicies = [
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy2",
+        "sku": {
+          "name": "Premium_AzureFrontDoor"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Disabled"
+          },
+    },
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy1",
+        "sku": {
+          "name": "Premium_AzureFrontDoor"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Enabled"
+          },
+
+    },
+    {
+        "id": "/subscriptions/123456789/resourcegroups/meerab-rg/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/testpolicy2",
+        "type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies",
+        "name": "testpolicy1",
+        "sku": {
+          "name": "classic"
+        },
+        "policySettings": {
+            "enabledState": "Enabled",
+            "mode": "Prevention",
+            "redirectUrl": null,
+            "customBlockResponseStatusCode": 403,
+            "customBlockResponseBody": null,
+            "requestBodyCheck": "Enabled"
+          },
+
+    },
+];
+
+const createCache = (afdWafPolicies) => {
+    return {
+        afdWafPolicies: {
+            listAll: {
+                'global': {
+                    data: afdWafPolicies
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        afdWafPolicies: {
+            listAll: {
+                'global': {
+                    err: 'Unable to query'
+                }
+            }
+        }
+    };
+};
+describe('frontDoorRequestBodyInspection', function () {
+    describe('run', function () {
+
+        it('should give pass result if request body inspection is enabled for front door waf policy', function (done) {
+            const cache = createCache([afdWafPolicies[1]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Front Door WAF policy has request body inspection enabled');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give pass result if no existing front door waf policy found', function (done) {
+            const cache = createCache([afdWafPolicies[2]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Front Door WAF policies found');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give fail result if request body inspection is not enabled for front door waf policy', function (done) {
+            const cache = createCache([afdWafPolicies[0]]);
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Front Door WAF policy does not have request body inspection enabled');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for front door WAF policies', function (done) {
+            const cache = createErrorCache();
+            frontDoorRequestBodyInspection.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Front Door WAF policies:');
+                expect(results[0].region).to.equal('global');
+                done();
+            });
+        });
+    });
+});