404

[ Avaa Bypassed ]




Upload:

Command:

botdev@18.188.19.24: ~ $
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""

import regex as re

from cfnlint.helpers import REGEX_DYN_REF, REGEX_DYN_REF_SSM
from cfnlint.rules import CloudFormationLintRule, RuleMatch


class Password(CloudFormationLintRule):
    """Check if Password Properties are properly configured"""

    id = "W2501"
    shortdesc = "Check if Password Properties are correctly configured"
    description = (
        "Password properties should not be strings and if parameter using NoEcho"
    )
    source_url = "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/best-practices.html#creds"
    tags = ["parameters", "passwords", "security", "dynamic reference"]

    def match(self, cfn):
        """Check CloudFormation Password Parameters"""

        matches = []
        password_properties = [
            "AccountPassword",
            "AdminPassword",
            "ADDomainJoinPassword",
            "CrossRealmTrustPrincipalPassword",
            "KdcAdminPassword",
            "Password",
            "DbPassword",
            "MasterUserPassword",
            "PasswordParam",
        ]

        parameters = cfn.get_parameter_names()
        fix_params = []
        for password_property in password_properties:
            # Build the list of refs
            refs = cfn.search_deep_keys(password_property)
            trees = []
            for tree in refs:
                if len(tree) > 2:
                    if tree[0] == "Resources" and tree[2] == "Properties":
                        trees.append(tree)

            for tree in trees:
                obj = tree[-1]
                if isinstance(obj, (str)):
                    if re.match(REGEX_DYN_REF, obj):
                        if re.match(REGEX_DYN_REF_SSM, obj):
                            message = f'Password should use a secure dynamic reference for {"/".join(map(str, tree[:-1]))}'
                            matches.append(RuleMatch(tree[:-1], message))
                    else:
                        message = f'Password shouldn\'t be hardcoded for {"/".join(map(str, tree[:-1]))}'
                        matches.append(RuleMatch(tree[:-1], message))
                elif isinstance(obj, dict):
                    if len(obj) == 1:
                        for key, value in obj.items():
                            if key == "Ref":
                                if value in parameters:
                                    param = cfn.template["Parameters"][value]
                                    if "NoEcho" in param:
                                        if not param["NoEcho"]:
                                            fix_params.append(
                                                {
                                                    "Name": value,
                                                    "Use": password_property,
                                                }
                                            )
                                    else:
                                        fix_params.append(
                                            {"Name": value, "Use": password_property}
                                        )
                    else:
                        message = f'Inappropriate map found for password on {"/".join(map(str, tree[:-1]))}'
                        matches.append(RuleMatch(tree[:-1], message))

        for paramname in fix_params:
            message = f'Parameter {paramname["Name"]} used as {paramname["Use"]}, therefore NoEcho should be True'
            tree = ["Parameters", paramname["Name"]]
            matches.append(RuleMatch(tree, message))
        return matches

Filemanager

Name Type Size Permission Actions
__pycache__ Folder 0755
AllowedPattern.py File 5.76 KB 0644
AllowedValue.py File 4.8 KB 0644
AtLeastOne.py File 4.11 KB 0644
AvailabilityZone.py File 3.41 KB 0644
BasedOnValue.py File 6.33 KB 0644
Exclusive.py File 3.98 KB 0644
ImageId.py File 2.37 KB 0644
Inclusive.py File 3.7 KB 0644
JsonSize.py File 6.08 KB 0644
ListDuplicates.py File 4.39 KB 0644
ListDuplicatesAllowed.py File 4.76 KB 0644
ListSize.py File 4.88 KB 0644
NumberSize.py File 4.88 KB 0644
OnlyOne.py File 3.89 KB 0644
Password.py File 3.63 KB 0644
Properties.py File 27.49 KB 0644
PropertiesTemplated.py File 2.44 KB 0644
Required.py File 4.1 KB 0644
RequiredBasedOnValue.py File 831 B 0644
StringSize.py File 4.52 KB 0644
UnwantedBasedOnValue.py File 837 B 0644
ValuePrimitiveType.py File 11.6 KB 0644
ValueRefGetAtt.py File 11.96 KB 0644
__init__.py File 106 B 0644