diff --git a/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py index 5f3d1be8e2..0778feee26 100644 --- a/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py +++ b/checkov/terraform/checks/resource/azure/NSGRulePortAccessRestricted.py @@ -5,16 +5,17 @@ from checkov.common.util.type_forcers import force_list import re -INTERNET_ADDRESSES = ("*", "0.0.0.0", "/0", "/0", "internet", "any") # nosec +INTERNET_ADDRESSES = re.compile(r"^(\*|internet|any|0\.0\.0\.0|.*/0)$", re.IGNORECASE) PORT_RANGE = re.compile(r"\d+-\d+") class NSGRulePortAccessRestricted(BaseResourceCheck): - def __init__(self, name: str, check_id: str, port: int) -> None: + def __init__(self, name: str, check_id: str, port: int, additional_protocols: Union[List[str]] = []) -> None: supported_resources = ("azurerm_network_security_rule", "azurerm_network_security_group") categories = (CheckCategories.NETWORKING,) super().__init__(name=name, id=check_id, categories=categories, supported_resources=supported_resources) self.port = port + self.additional_protocols = additional_protocols def is_port_in_range(self, ports: Union[int, str, List[Union[int, str]]]) -> bool: for range in force_list(ports): @@ -53,7 +54,7 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: and direction and direction[0].lower() == "inbound" and protocol - and protocol[0].lower() in ("tcp", "*") + and protocol[0].lower() in (("tcp", "*") + tuple(self.additional_protocols)) and ( ( destination_port_range @@ -69,14 +70,13 @@ def scan_resource_conf(self, conf: Dict[str, List[Any]]) -> CheckResult: ( source_address_prefix and isinstance(source_address_prefix[0], str) - and source_address_prefix[0].lower() in INTERNET_ADDRESSES # fmt: skip + and bool(INTERNET_ADDRESSES.match(source_address_prefix[0])) ) or ( source_address_prefixes and source_address_prefixes[0] and isinstance(source_address_prefixes[0], list) - and any((isinstance(prefix, str) and prefix.lower()) in INTERNET_ADDRESSES for prefix in - source_address_prefixes[0]) + and any(isinstance(prefix, str) and INTERNET_ADDRESSES.match(prefix) for prefix in source_address_prefixes[0]) ) ) ): diff --git a/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py b/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py index d852cd6f91..b6ad9136a6 100644 --- a/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py +++ b/checkov/terraform/checks/resource/azure/NSGRuleRDPAccessRestricted.py @@ -7,6 +7,7 @@ def __init__(self) -> None: name="Ensure that RDP access is restricted from the internet", check_id="CKV_AZURE_9", port=3389, + additional_protocols=["udp"] ) diff --git a/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf b/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf index 0a92112063..989d0a43c7 100644 --- a/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf +++ b/tests/terraform/checks/resource/azure/example_NSGRuleRDPAccessRestricted/main.tf @@ -130,8 +130,44 @@ resource "azurerm_network_security_group" "ranges" { } } +resource "azurerm_network_security_rule" "f_source_slash_zero" { + name = "example" + access = "Allow" + direction = "Inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "Tcp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = 3389 + source_address_prefix = "0/0" + destination_port_ranges = null + source_address_prefixes = null +} + # lower case +resource "azurerm_network_security_rule" "f_ranges_udp_lower_case" { + name = "example" + access = "allow" + direction = "inbound" + network_security_group_name = "azurerm_network_security_group.example.name" + priority = 100 + protocol = "udp" + resource_group_name = "azurerm_resource_group.example.name" + + destination_port_range = null + source_address_prefix = null + destination_port_ranges = [ + 3389, + 443 + ] + source_address_prefixes = [ + "0.0.0.0/0", + "10.0.0.0/16" + ] +} + resource "azurerm_network_security_rule" "ranges_prefixes_lower_case" { name = "example" access = "allow" diff --git a/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py b/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py index 8a42487cff..7880ccc04b 100644 --- a/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py +++ b/tests/terraform/checks/resource/azure/test_NSGRuleRDPAccessRestricted.py @@ -31,6 +31,8 @@ def test(self): "azurerm_network_security_group.ranges", "azurerm_network_security_rule.ranges_prefixes_lower_case", "azurerm_network_security_rule.range_prefix_lower_case", + "azurerm_network_security_rule.f_source_slash_zero", + "azurerm_network_security_rule.f_ranges_udp_lower_case", } passed_check_resources = {c.resource for c in report.passed_checks}