How to use the cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule function in cfripper
To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Skyscanner / cfripper / tests / test_rules_security_group_open_to_world.py View on Github 
def test_security_group_rules_as_refs(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [{"CidrIp": {"Ref": "MyParam"}, "FromPort": 22, "ToPort": 22}]
},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.valid
assert len(result.failed_rules) == 0def test_security_group_type_slash0(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 22, "ToPort": 22}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert not result.valid
assert result.failed_rules[0].reason == 'Port 22 open to the world in security group "RootRole"'
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"def test_invalid_security_group_cidripv6(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIpv6": "::/0", "FromPort": 22, "ToPort": 22}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.failed_rules[0].reason == 'Port 22 open to the world in security group "RootRole"'
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"def test_valid_security_group_not_slash0(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "10.0.0.0/8", "FromPort": 22, "ToPort": 22}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.valid
assert len(result.failed_rules) == 0def test_valid_security_group_port80(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 80, "ToPort": 80}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.valid
assert len(result.failed_rules) == 0"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{"CidrIp": "10.0.0.0/8", "FromPort": 22, "ToPort": 22},
{"CidrIp": "0.0.0.0/0", "FromPort": 9090, "ToPort": 9090},
]
},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.failed_rules[0].reason == 'Port 9090 open to the world in security group "RootRole"'
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"def test_valid_security_group_port443(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 443, "ToPort": 443}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.valid
assert len(result.failed_rules) == 0def test_invalid_security_group_range(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 0, "ToPort": 100}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.failed_rules[0].reason == "Ports 0 - 100 open in Security Group RootRole"
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed
under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
from pycfmodel.model.resources.security_group_ingress import SecurityGroupIngress
from .SecurityGroupOpenToWorldRule import SecurityGroupOpenToWorldRule
class SecurityGroupIngressOpenToWorld(SecurityGroupOpenToWorldRule):
def invoke(self, cfmodel):
for logical_id, resource in cfmodel.Resources.items():
if isinstance(resource, SecurityGroupIngress) and (
resource.ipv4_slash_zero() or resource.ipv6_slash_zero()
):
for port in range(resource.Properties.FromPort, resource.Properties.ToPort + 1):
if str(port) not in self._config.allowed_world_open_ports:
self.add_failure(type(self).__name__, self.REASON.format(port, logical_id))
cfripper
Library and CLI tool for analysing CloudFormation templates and check them for security compliance.
Package Health Score
87 / 100Popular cfripper functions
- cfripper.config.config.Config
- cfripper.config.filter.Filter
- cfripper.config.rule_config.RuleConfig
- cfripper.model.enums.RuleGranularity
- cfripper.model.enums.RuleGranularity.RESOURCE
- cfripper.model.enums.RuleMode
- cfripper.model.enums.RuleMode.BLOCKING
- cfripper.model.enums.RuleMode.MONITOR
- cfripper.model.enums.RuleRisk
- cfripper.model.enums.RuleRisk.HIGH
- cfripper.model.result.Failure
- cfripper.model.result.Result
- cfripper.model.rule.Rule
- cfripper.model.utils.convert_json_or_yaml_to_dict
- cfripper.rule_processor.RuleProcessor
- cfripper.rules.base_rules.Rule
- cfripper.rules.DEFAULT_RULES
- cfripper.rules.DEFAULT_RULES.get
- cfripper.rules.DEFAULT_RULES.keys
- cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule