aquasecurity · alphadev4 · Sep 18, 2024 · Jul 14, 2024 · Sep 16, 2024 · Sep 16, 2024
diff --git a/exports.js b/exports.js
@@ -733,6 +733,7 @@ module.exports = {
         'containerAppVolumeMount'       : require(__dirname + '/plugins/azure/containerapps/containerAppVolumeMount.js'),
         'containerAppHttpsOnly'         : require(__dirname + '/plugins/azure/containerapps/containerAppHttpsOnly.js'),
         'containerAppHasTags'           : require(__dirname + '/plugins/azure/containerapps/containerAppHasTags.js'),
+        'containerAppIPRestriction'      : require(__dirname + '/plugins/azure/containerapps/containerAppIPRestriction.js'),
 
         'workspacePublicAccessDisabled' : require(__dirname + '/plugins/azure/machinelearning/workspacePublicAccessDisabled.js'),
         'workspaceLoggingEnabled'       : require(__dirname + '/plugins/azure/machinelearning/workspaceLoggingEnabled.js'),

diff --git a/plugins/aws/eks/eksKubernetesVersion.spec.js b/plugins/aws/eks/eksKubernetesVersion.spec.js
@@ -82,7 +82,7 @@ describe('eksKubernetesVersion', function () {
                   "cluster": {
                     "name": "mycluster",
                     "arn": "arn:aws:eks:us-east-1:012345678911:cluster/mycluster",
-                    "version": "1.27",
+                    "version": "1.29",
                   }
                 }
             );

diff --git a/plugins/azure/containerapps/containerAppIPRestriction.js b/plugins/azure/containerapps/containerAppIPRestriction.js
@@ -0,0 +1,61 @@
+var async = require('async');
+var helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Container Apps IP Restriction Configured',
+    category: 'Container Apps',
+    domain: 'Containers',
+    severity: 'Medium',
+    description: 'Ensures that Container Apps are configured to allow only specific IP addresses.',
+    more_info: 'Azure Container Apps provides IP ingress restrictions for controlling inbound traffic, enhancing application security. Allow or deny rules can be defined for specific IP ranges, enabling precise access management to container apps. This feature is crucial for reducing potential security vulnerabilities, as unrestricted configurations permit all inbound traffic by default.',
+    recommended_action: 'Modify Container Apps and configure IP restriction.',
+    link: 'https://learn.microsoft.com/en-us/azure/container-apps/ip-restrictions',
+    apis: ['containerApps:list'],
+    realtime_triggers: ['microsoftapp:containerapps:write', 'microsoftapp:containerapps:delete'],
+
+    run: function(cache, settings, callback) {
+        var results = [];
+        var source = {};
+        var locations = helpers.locations(settings.govcloud);
+
+        async.each(locations.containerApps, function(location, rcb) {
+            var containerApps = helpers.addSource(cache, source,
+                ['containerApps', 'list', location]);
+
+            if (!containerApps) return rcb();
+
+            if (containerApps.err || !containerApps.data) {
+                helpers.addResult(results, 3,
+                    'Unable to query for Container apps: ' + helpers.addError(containerApps), location);
+                return rcb();
+            }
+
+            if (!containerApps.data.length) {
+                helpers.addResult(results, 0, 'No existing Container apps found', location);
+                return rcb();
+            }
+
+            for (let container of containerApps.data) {
+                if (!container.id) continue;
+
+                if (container.configuration && 
+                    container.configuration.ingress && 
+                    container.configuration.ingress.ipSecurityRestrictions && 
+                    container.configuration.ingress.ipSecurityRestrictions.length) {
+                    helpers.addResult(results, 0,
+                        'Container app has IP restrictions configured', location, container.id);
+
+                } else {
+                    helpers.addResult(results, 2,
+                        'Container app does not have IP restrictions configured', location, container.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            // Global checking goes here
+            callback(null, results, source);
+        });
+    }
+};
+
diff --git a/plugins/azure/containerapps/containerAppIPRestriction.spec.js b/plugins/azure/containerapps/containerAppIPRestriction.spec.js
@@ -0,0 +1,149 @@
+var expect = require('chai').expect;
+var containerAppIPRestriction = require('./containerAppIPRestriction');
+
+const containerApps = [
+    {
+      "id": "/subscriptions/123456/resourceGroups/tesr/providers/Microsoft.App/containerapps/test1",
+      "name": "test1",
+      "type": "Microsoft.App/containerApps",
+      "configuration": {
+        "ingress": {
+            "fqdn": "testfatima.wittysea-8163cba4.australiaeast.azurecontainerapps.io",
+            "external": true,
+            "targetPort": 300,
+            "exposedPort": 0,
+            "transport": "Auto",
+            "traffic": [
+              {
+                "weight": 100,
+                "latestRevision": true
+              }
+            ],
+            "customDomains": null,
+            "allowInsecure": false,
+            "ipSecurityRestrictions": [
+                {
+                    "action":'Allow',
+                    "description":'dummy',
+                    "ipAddressRange": '00000',
+                    "name": 'test'
+                }
+            ],
+            "corsPolicy": null,
+            "clientCertificateMode": "Ignore",
+            "stickySessions": {
+              "affinity": "none"
+            }
+          },
+        },
+      "identity": {
+        "type": "SystemAssigned"
+      }
+
+      },
+      {
+        "id": "/subscriptions/123456/resourceGroups/tesr/providers/Microsoft.App/containerapps/test2",
+        "name": "test2",
+        "type": "Microsoft.App/containerApps",
+        "configuration": {
+            "ingress": {
+                "fqdn": "testfatima.wittysea-8163cba4.australiaeast.azurecontainerapps.io",
+                "external": true,
+                "targetPort": 300,
+                "exposedPort": 0,
+                "transport": "Auto",
+                "traffic": [
+                  {
+                    "weight": 100,
+                    "latestRevision": true
+                  }
+                ],
+                "customDomains": null,
+                "allowInsecure": true,
+                "ipSecurityRestrictions": null,
+                "corsPolicy": null,
+                "clientCertificateMode": "Ignore",
+                "stickySessions": {
+                  "affinity": "none"
+                }
+              },
+            },
+        "identity": {
+            "type": "None"
+        }
+      },
+];
+
+
+
+const createCache = (container) => {
+    return {
+        containerApps: {
+            list: {
+                'eastus': {
+                    data: container
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        containerApps: {
+            list: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('containerAppIPRestriction', function() {
+    describe('run', function() {
+        it('should give passing result if no container apps', function(done) {
+            const cache = createCache([]);
+            containerAppIPRestriction.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing Container apps found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if unable to query for container apps', function(done) {
+            const cache = createErrorCache();
+            containerAppIPRestriction.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Container apps: ');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+
+        it('should give passing result if container app has IP restrictions configured', function(done) {
+            const cache = createCache([containerApps[0]]);
+            containerAppIPRestriction.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Container app has IP restrictions configured');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if container app does not have IP restrictions configured', function(done) {
+            const cache = createCache([containerApps[1]]);
+            containerAppIPRestriction.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Container app does not have IP restrictions configured');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+    });
+});