aws-cf-checker
Advanced tools
Comparing version 0.6.0 to 0.7.0
@@ -140,6 +140,6 @@ /* | ||
if (options.allow !== undefined && _.some(options.allow, function(allow) { | ||
return _.some(toArray(toWildcard(allow.action)), function(action) { | ||
return wildstring.match(action, pair.action); | ||
}) && _.some(toArray(toWildcard(allow.resource)), function(resource) { | ||
return wildstring.match(resource, pair.resource); | ||
return _.some(toArray(toWildcard(allow.action)), function(allowAction) { | ||
return wildstring.match(allowAction, pair.action); | ||
}) && _.some(toArray(toWildcard(allow.resource)), function(allowResource) { | ||
return wildstring.match(allowResource, pair.resource); | ||
}); | ||
@@ -153,6 +153,6 @@ }) === false) { | ||
if (options.deny !== undefined && _.some(options.deny, function(deny) { | ||
return _.some(toArray(toWildcard(deny.action)), function(action) { | ||
return wildstring.match(action, pair.action); | ||
}) && _.some(toArray(toWildcard(deny.resource)), function(resource) { | ||
return wildstring.match(resource, pair.resource); | ||
return _.some(toArray(toWildcard(deny.action)), function(denyAction) { | ||
return wildstring.match(denyAction, pair.action); | ||
}) && _.some(toArray(toWildcard(deny.resource)), function(denyResource) { | ||
return wildstring.match(denyResource, pair.resource); | ||
}); | ||
@@ -159,0 +159,0 @@ }) === true) { |
@@ -6,3 +6,3 @@ /* | ||
* `case`: Enum["pascal", "camel"] (default: "pascal") | ||
* `case`: (Enum["pascal", "camel"] default: "pascal") | ||
*/ | ||
@@ -9,0 +9,0 @@ |
/* | ||
Checks if the resource types are allowed in the template. | ||
Checks if the resource types are allowed in the template. Wildcard * is supported. | ||
@@ -9,7 +9,8 @@ If you `deny` something, everything that is not denied is allowed. | ||
* `deny`: Array[String] | ||
* `allow`: Array[String] | ||
* `deny`: (Array[String]) (whitelist, wildcard * can be used) | ||
* `allow`: (Array[String]) (blacklist, wildcard * can be used) | ||
*/ | ||
var _ = require("lodash"); | ||
var wildstring = require("wildstring"); | ||
@@ -25,3 +26,5 @@ function filterPartResource(object) { | ||
function checker(object) { | ||
if (options.allow !== undefined && options.allow.indexOf(object.Type) === -1) { | ||
if (options.allow !== undefined && _.some(options.allow, function(allow) { | ||
return wildstring.match(allow, object.Type); | ||
}) === false) { | ||
findings.push({ | ||
@@ -32,3 +35,5 @@ logicalID: object.LogicalId, | ||
} | ||
if (options.deny !== undefined && options.deny.indexOf(object.Type) !== -1) { | ||
if (options.deny !== undefined && _.some(options.deny, function(deny) { | ||
return wildstring.match(deny, object.Type); | ||
}) === true) { | ||
findings.push({ | ||
@@ -35,0 +40,0 @@ logicalID: object.LogicalId, |
@@ -6,3 +6,3 @@ /* | ||
allow traffic from public ip addresses. | ||
allow traffic from public IP addresses. | ||
@@ -9,0 +9,0 @@ Security groups attached to: |
{ | ||
"name": "aws-cf-checker", | ||
"version": "0.6.0", | ||
"version": "0.7.0", | ||
"description": "Checks AWS CloudFormation templates for security, reliability and conformity", | ||
@@ -16,2 +16,3 @@ "keywords": [ | ||
"author": "Michael Wittig <michael@widdix.de>", | ||
"contributors": ["Andreas Wittig <andreas@widdix.de>"], | ||
"license": "MIT", | ||
@@ -35,2 +36,5 @@ "dependencies": { | ||
}, | ||
"bugs": { | ||
"url": "https://github.com/widdix/aws-cf-checker/issues" | ||
}, | ||
"engines": { | ||
@@ -37,0 +41,0 @@ "node": ">=0.10" |
@@ -95,7 +95,7 @@ [![Build Status](https://secure.travis-ci.org/widdix/aws-cf-checker.png)](http://travis-ci.org/widdix/aws-cf-checker) | ||
* `case`: Enum["pascal", "camel"] (default: "pascal") | ||
* `case`: (Enum["pascal", "camel"] default: "pascal") | ||
### resourceType | ||
Checks if the resource types are allowed in the template. | ||
Checks if the resource types are allowed in the template. Wildcard * is supported. | ||
@@ -107,4 +107,4 @@ If you `deny` something, everything that is not denied is allowed. | ||
* `deny`: Array[String] | ||
* `allow`: Array[String] | ||
* `deny`: (Array[String]) (whitelist, wildcard * can be used) | ||
* `allow`: (Array[String]) (blacklist, wildcard * can be used) | ||
@@ -117,3 +117,3 @@ ### securityGroupInbound | ||
allow traffic from public ip addresses. | ||
allow traffic from public IP addresses. | ||
@@ -170,1 +170,10 @@ Security groups attached to: | ||
* `resource`: (String | Array[String]) IAM resource (wildcard * can be used) | ||
### iamManagedPolicy | ||
Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported. | ||
Options: (Object) | ||
* `allow`: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used) | ||
* `deny`: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used) |
var checker = require("../index.js"); | ||
var assert = require("assert-plus"); | ||
// TODO test wildcard | ||
function test(template, options, expectedFindings, done) { | ||
@@ -57,2 +57,32 @@ checker.checkTemplate(template, options, function(err, findings) { | ||
}); | ||
it("no hit by wildcard", function(done) { | ||
test({ | ||
"Resources": { | ||
"VPC": { | ||
"Type": "AWS::EC2::InternetGateway", | ||
"Properties": { | ||
} | ||
} | ||
} | ||
}, { | ||
"resourceType": { | ||
"deny": ["AWS::IAM::*"] | ||
} | ||
}, 0, done); | ||
}); | ||
it("hit by wildcard", function(done) { | ||
test({ | ||
"Resources": { | ||
"VPC": { | ||
"Type": "AWS::EC2::VPC", | ||
"Properties": { | ||
} | ||
} | ||
} | ||
}, { | ||
"resourceType": { | ||
"deny": ["*"] | ||
} | ||
}, 1, done); | ||
}); | ||
}); | ||
@@ -100,3 +130,33 @@ describe("allow", function() { | ||
}); | ||
it("hit by wildcard", function(done) { | ||
test({ | ||
"Resources": { | ||
"VPC": { | ||
"Type": "AWS::EC2::InternetGateway", | ||
"Properties": { | ||
} | ||
} | ||
} | ||
}, { | ||
"resourceType": { | ||
"allow": ["AWS::IAM::*"] | ||
} | ||
}, 1, done); | ||
}); | ||
it("no hit by wildcard", function(done) { | ||
test({ | ||
"Resources": { | ||
"VPC": { | ||
"Type": "AWS::EC2::VPC", | ||
"Properties": { | ||
} | ||
} | ||
} | ||
}, { | ||
"resourceType": { | ||
"allow": ["*"] | ||
} | ||
}, 0, done); | ||
}); | ||
}); | ||
}); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No bug tracker
MaintenancePackage does not have a linked bug tracker in package.json.
Found 1 instance in 1 package
99246
28
3096
1
176