这是indexloc提供的服务,不要输入任何密码
Skip to content

feat(terraform): Over permissive Lambda Cors check (Terraform & Cloudformation) #7113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 22, 2025
Merged

feat(terraform): Over permissive Lambda Cors check (Terraform & Cloudformation) #7113

merged 7 commits into from
Apr 22, 2025

Conversation

@yuvalmich
Copy link
Contributor

@yuvalmich yuvalmich commented Apr 20, 2025
edited
Loading

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

This PR adds graph checks for over permissive AWS Lambda CORS (Cross-Origin Resource Sharing) both for Terraform and Cloudformation.

This check aligns to the run policy ID 7bf83882-02ad-4f79-803c-ed4588e166cd

New/Edited policies (Delete if not relevant)

Description

AWS Lambda URL resource (aws_lambda_function_url / AWS::Lambda::Url) that is connected to a lambda resource (aws_lambda_function_url / AWS::Lambda::Function) can't have both allow_origins: * and allow_methods: *

Fix

Define at least one allow_origins or allow_methods as non * value

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

@yuvalmich yuvalmich changed the title Over permissive Lambda Cors check feat(terraform): Over permissive Lambda Cors check (Terraform & Cloudformation) Apr 20, 2025
@yuvalmich yuvalmich requested review from bo156 and tsmithv11 April 20, 2025 12:15
maxamel
maxamel reviewed Apr 20, 2025
View reviewed changes
tests/cloudformation/graph/checks/resources/LambdaOpenCorsPolicy/expected.yaml
- "AWS::Lambda::Url.ValidLambdaUrlOnlyMethodsStar"
fail:
- "AWS::Lambda::Url.InvalidLambdaUrl"
evaluated_keys:
Copy link
Contributor

@maxamel maxamel Apr 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the purpose of the evaluated keys here?

Copy link
Contributor Author

@yuvalmich yuvalmich Apr 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't find any documentation about this field but I assume it asserts that the evaluated keys are the same keys that has an attribute field in the check yaml itself.

So if for example I ensured that the attribute AllowOrigins doesn't contain * it should appear in the tests evaluated_keys (otherwise the tests fail)

tsmithv11
tsmithv11 suggested changes Apr 20, 2025
View reviewed changes
Copy link
Contributor

@tsmithv11 tsmithv11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! The resource type we want to filter on is the function

@yuvalmich yuvalmich force-pushed the yuval/add-lambda-cors-rule branch from 6b8a796 to 17977cd Compare April 21, 2025 06:22
@yuvalmich yuvalmich force-pushed the yuval/add-lambda-cors-rule branch from becc4d4 to bd43493 Compare April 22, 2025 06:40
@yuvalmich yuvalmich force-pushed the yuval/add-lambda-cors-rule branch from bd43493 to 235a21a Compare April 22, 2025 07:24
bo156
bo156 approved these changes Apr 22, 2025
View reviewed changes
tests/terraform/runner/test_runner.py
check_list.sort(reverse=True, key=lambda s: int(s.split('_')[-1]))

for i in range(1, len(aws_checks) + 3):
for i in range(1, len(aws_checks) + 2):
Copy link
Contributor

@bo156 bo156 Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this needed?

Copy link
Contributor

@tsmithv11 tsmithv11 Apr 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

He added the same check to 2 frameworks, so they need the same ID

@yuvalmich yuvalmich merged commit 43acdc0 into bridgecrewio:main Apr 22, 2025
42 of 43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxamel maxamel maxamel left review comments

@bo156 bo156 bo156 approved these changes

@lirshindalman lirshindalman lirshindalman approved these changes

@OfekShimko OfekShimko OfekShimko approved these changes

+2 more reviewers

@tsmithv11 tsmithv11 tsmithv11 approved these changes

@try-panwiac try-panwiac try-panwiac left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@yuvalmich @maxamel @tsmithv11 @bo156 @lirshindalman @OfekShimko @try-panwiac