Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

aws-cf-checker

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

aws-cf-checker - npm Package Compare versions

Comparing version 0.6.0 to 0.7.0

check/iamManagedPolicy.js

16

check/iamPolicy.js

@@ -140,6 +140,6 @@ /*

if (options.allow !== undefined && _.some(options.allow, function(allow) {
return _.some(toArray(toWildcard(allow.action)), function(action) {
return wildstring.match(action, pair.action);
}) && _.some(toArray(toWildcard(allow.resource)), function(resource) {
return wildstring.match(resource, pair.resource);
return _.some(toArray(toWildcard(allow.action)), function(allowAction) {
return wildstring.match(allowAction, pair.action);
}) && _.some(toArray(toWildcard(allow.resource)), function(allowResource) {
return wildstring.match(allowResource, pair.resource);
});

@@ -153,6 +153,6 @@ }) === false) {

if (options.deny !== undefined && _.some(options.deny, function(deny) {
return _.some(toArray(toWildcard(deny.action)), function(action) {
return wildstring.match(action, pair.action);
}) && _.some(toArray(toWildcard(deny.resource)), function(resource) {
return wildstring.match(resource, pair.resource);
return _.some(toArray(toWildcard(deny.action)), function(denyAction) {
return wildstring.match(denyAction, pair.action);
}) && _.some(toArray(toWildcard(deny.resource)), function(denyResource) {
return wildstring.match(denyResource, pair.resource);
});

@@ -159,0 +159,0 @@ }) === true) {

@@ -6,3 +6,3 @@ /*

* `case`: Enum["pascal", "camel"] (default: "pascal")
* `case`: (Enum["pascal", "camel"] default: "pascal")
*/

@@ -9,0 +9,0 @@

/*
Checks if the resource types are allowed in the template.
Checks if the resource types are allowed in the template. Wildcard * is supported.

@@ -9,7 +9,8 @@ If you `deny` something, everything that is not denied is allowed.

* `deny`: Array[String]
* `allow`: Array[String]
* `deny`: (Array[String]) (whitelist, wildcard * can be used)
* `allow`: (Array[String]) (blacklist, wildcard * can be used)
*/
var _ = require("lodash");
var wildstring = require("wildstring");

@@ -25,3 +26,5 @@ function filterPartResource(object) {

function checker(object) {
if (options.allow !== undefined && options.allow.indexOf(object.Type) === -1) {
if (options.allow !== undefined && _.some(options.allow, function(allow) {
return wildstring.match(allow, object.Type);
}) === false) {
findings.push({

@@ -32,3 +35,5 @@ logicalID: object.LogicalId,

}
if (options.deny !== undefined && options.deny.indexOf(object.Type) !== -1) {
if (options.deny !== undefined && _.some(options.deny, function(deny) {
return wildstring.match(deny, object.Type);
}) === true) {
findings.push({

@@ -35,0 +40,0 @@ logicalID: object.LogicalId,

@@ -6,3 +6,3 @@ /*

allow traffic from public ip addresses.
allow traffic from public IP addresses.

@@ -9,0 +9,0 @@ Security groups attached to:

{
"name": "aws-cf-checker",
"version": "0.6.0",
"version": "0.7.0",
"description": "Checks AWS CloudFormation templates for security, reliability and conformity",

@@ -16,2 +16,3 @@ "keywords": [

"author": "Michael Wittig <michael@widdix.de>",
"contributors": ["Andreas Wittig <andreas@widdix.de>"],
"license": "MIT",

@@ -35,2 +36,5 @@ "dependencies": {

},
"bugs": {
"url": "https://github.com/widdix/aws-cf-checker/issues"
},
"engines": {

@@ -37,0 +41,0 @@ "node": ">=0.10"

@@ -95,7 +95,7 @@ [![Build Status](https://secure.travis-ci.org/widdix/aws-cf-checker.png)](http://travis-ci.org/widdix/aws-cf-checker)

* `case`: Enum["pascal", "camel"] (default: "pascal")
* `case`: (Enum["pascal", "camel"] default: "pascal")
### resourceType
Checks if the resource types are allowed in the template.
Checks if the resource types are allowed in the template. Wildcard * is supported.

@@ -107,4 +107,4 @@ If you `deny` something, everything that is not denied is allowed.

* `deny`: Array[String]
* `allow`: Array[String]
* `deny`: (Array[String]) (whitelist, wildcard * can be used)
* `allow`: (Array[String]) (blacklist, wildcard * can be used)

@@ -117,3 +117,3 @@ ### securityGroupInbound

allow traffic from public ip addresses.
allow traffic from public IP addresses.

@@ -170,1 +170,10 @@ Security groups attached to:

* `resource`: (String | Array[String]) IAM resource (wildcard * can be used)
### iamManagedPolicy
Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported.
Options: (Object)
* `allow`: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used)
* `deny`: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used)
var checker = require("../index.js");
var assert = require("assert-plus");
// TODO test wildcard
function test(template, options, expectedFindings, done) {

@@ -57,2 +57,32 @@ checker.checkTemplate(template, options, function(err, findings) {

});
it("no hit by wildcard", function(done) {
test({
"Resources": {
"VPC": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
}
}
}
}, {
"resourceType": {
"deny": ["AWS::IAM::*"]
}
}, 0, done);
});
it("hit by wildcard", function(done) {
test({
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
}
}
}
}, {
"resourceType": {
"deny": ["*"]
}
}, 1, done);
});
});

@@ -100,3 +130,33 @@ describe("allow", function() {

});
it("hit by wildcard", function(done) {
test({
"Resources": {
"VPC": {
"Type": "AWS::EC2::InternetGateway",
"Properties": {
}
}
}
}, {
"resourceType": {
"allow": ["AWS::IAM::*"]
}
}, 1, done);
});
it("no hit by wildcard", function(done) {
test({
"Resources": {
"VPC": {
"Type": "AWS::EC2::VPC",
"Properties": {
}
}
}
}, {
"resourceType": {
"allow": ["*"]
}
}, 0, done);
});
});
});
SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc