feat(arm): add FunctionAppDisallowCORS - password correctness check

checkov/arm/checks/resource/FunctionAppDisallowCORS.py

@@ -0,0 +1,24 @@
+from typing import List, Any
+from checkov.common.models.enums import CheckCategories, CheckResult
+from checkov.arm.base_resource_negative_value_check import BaseResourceNegativeValueCheck
+
+
+class FunctionAppDisallowCORS(BaseResourceNegativeValueCheck):
+
+ def __init__(self) -> None:
+ name = "Ensure function apps are not accessible from all regions"
+ id = "CKV_AZURE_62"
+ supported_resources = ("Microsoft.Web/sites",)
+ categories = (CheckCategories.GENERAL_SECURITY,)
+ super().__init__(name=name, id=id, categories=categories,
+ supported_resources=supported_resources,
+ missing_block_result=CheckResult.PASSED)
+
+ def get_inspected_key(self) -> str:
+ return "properties/siteConfig/cors/allowedOrigins"
+
+ def get_forbidden_values(self) -> List[Any]:
+ return ["*"]
+
+
+check = FunctionAppDisallowCORS()

tests/arm/checks/resource/example_FunctionAppDisallowCORS/fail.json

@@ -0,0 +1,81 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "siteName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Azure Web App."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The Azure region where the resource should be deployed."
+ }
+ },
+ "sku": {
+ "type": "string",
+ "defaultValue": "Free",
+ "allowedValues": [
+ "Free",
+ "Shared",
+ "Basic",
+ "Standard",
+ "Premium"
+ ],
+ "metadata": {
+ "description": "The pricing tier of the Azure Web App."
+ }
+ },
+ "appServicePlanName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the App Service Plan to use."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2019-08-01",
+ "name": "fail",
+ "location": "[parameters('location')]",
+ "properties": {
+ "name": "[parameters('siteName')]",
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+ "siteConfig": {
+ "appSettings": [
+ {
+ "name": "Setting1",
+ "value": "Value1"
+ },
+ {
+ "name": "Setting2",
+ "value": "Value2"
+ }
+ ],
+ "metadata": [
+ {
+ "name": "Key1",
+ "value": "Value1"
+ },
+ {
+ "name": "Key2",
+ "value": "Value2"
+ }
+ ],
+ "cors": {
+ "allowedOrigins": ["*"]
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+ ],
+ "sku": {
+ "name": "[parameters('sku')]"
+ }
+ }
+ ]
+}

tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass.json

@@ -0,0 +1,56 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "siteName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Azure Web App."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The Azure region where the resource should be deployed."
+ }
+ },
+ "sku": {
+ "type": "string",
+ "defaultValue": "Free",
+ "allowedValues": [
+ "Free",
+ "Shared",
+ "Basic",
+ "Standard",
+ "Premium"
+ ],
+ "metadata": {
+ "description": "The pricing tier of the Azure Web App."
+ }
+ },
+ "appServicePlanName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the App Service Plan to use."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2019-08-01",
+ "name": "pass",
+ "location": "[parameters('location')]",
+ "properties": {
+ "name": "[parameters('siteName')]",
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+ ],
+ "sku": {
+ "name": "[parameters('sku')]"
+ }
+ }
+ ]
+}

tests/arm/checks/resource/example_FunctionAppDisallowCORS/pass_with_cors.json

@@ -0,0 +1,81 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "siteName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the Azure Web App."
+ }
+ },
+ "location": {
+ "type": "string",
+ "metadata": {
+ "description": "The Azure region where the resource should be deployed."
+ }
+ },
+ "sku": {
+ "type": "string",
+ "defaultValue": "Free",
+ "allowedValues": [
+ "Free",
+ "Shared",
+ "Basic",
+ "Standard",
+ "Premium"
+ ],
+ "metadata": {
+ "description": "The pricing tier of the Azure Web App."
+ }
+ },
+ "appServicePlanName": {
+ "type": "string",
+ "metadata": {
+ "description": "The name of the App Service Plan to use."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites",
+ "apiVersion": "2019-08-01",
+ "name": "pass_with_cors",
+ "location": "[parameters('location')]",
+ "properties": {
+ "name": "[parameters('siteName')]",
+ "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]",
+ "siteConfig": {
+ "appSettings": [
+ {
+ "name": "Setting1",
+ "value": "Value1"
+ },
+ {
+ "name": "Setting2",
+ "value": "Value2"
+ }
+ ],
+ "metadata": [
+ {
+ "name": "Key1",
+ "value": "Value1"
+ },
+ {
+ "name": "Key2",
+ "value": "Value2"
+ }
+ ],
+ "cors": {
+ "allowedOrigins": ["192.0.0.1"]
+ }
+ }
+ },
+ "dependsOn": [
+ "[resourceId('Microsoft.Web/serverfarms', parameters('appServicePlanName'))]"
+ ],
+ "sku": {
+ "name": "[parameters('sku')]"
+ }
+ }
+ ]
+}

tests/arm/checks/resource/test_FunctionAppDisallowCORS.py

@@ -0,0 +1,42 @@
+import unittest
+from pathlib import Path
+
+from checkov.arm.checks.resource.FunctionAppDisallowCORS import check
+from checkov.arm.runner import Runner
+from checkov.runner_filter import RunnerFilter
+
+
+class TestFunctionAppDisallowCORS(unittest.TestCase):
+
+ def test_summery(self):
+ # given
+ test_files_dir = Path(__file__).parent / "example_FunctionAppDisallowCORS"
+
+ # when
+ report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
+
+ # then
+ summary = report.get_summary()
+
+ passing_resources = {
+ "Microsoft.Web/sites.pass_with_cors",
+ "Microsoft.Web/sites.pass",
+ }
+
+ failing_resources = {
+ "Microsoft.Web/sites.fail",
+ }
+
+ passed_check_resources = {c.resource for c in report.passed_checks}
+ failed_check_resources = {c.resource for c in report.failed_checks}
+
+ self.assertEqual(summary["passed"], len(passing_resources))
+ self.assertEqual(summary["failed"], len(failing_resources))
+ self.assertEqual(summary["skipped"], 0)
+ self.assertEqual(summary["parsing_errors"], 0)
+
+ self.assertEqual(passing_resources, passed_check_resources)
+ self.assertEqual(failing_resources, failed_check_resources)
+
+if __name__ == '__main__':
+ unittest.main()