• Home
• org.sonarsource.javascript
• javascript-checks
• 10.16.0.27621
• source code
• S6333.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S6333.html Maven / Gradle / Ivy

Creating APIs without authentication unnecessarily increases the attack surface on the target infrastructure.
Unless another authentication method is used, attackers have the opportunity to attempt attacks against the underlying API.
 This means attacks
both on the functionality provided by the API and its infrastructure.
Ask Yourself Whether

  
 The underlying API exposes all of its contents to any anonymous Internet user. 

There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
In general, prefer limiting API access to a specific set of people or entities.
AWS provides multiple methods to do so:

  
 AWS_IAM, to use standard AWS IAM roles and policies. 
  
 COGNITO_USER_POOLS, to use customizable OpenID Connect (OIDC) identity providers (IdP). 
  
 CUSTOM, to use an AWS-independant OIDC provider, glued to the infrastructure with a Lambda authorizer. 

Sensitive Code Example
For aws-cdk-lib.aws_apigateway.Resource:
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example")
resource.addMethod(
    "GET",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.NONE // Sensitive
    }
)

For aws-cdk-lib.aws_apigatewayv2.CfnRoute:
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "no-auth", {
    apiId: api.ref,
    routeKey: "GET /no-auth",
    authorizationType: "NONE", // Sensitive
    target: exampleIntegration
})

Compliant Solution
For aws-cdk-lib.aws_apigateway.Resource:
import {aws_apigateway as apigateway} from "aws-cdk-lib"

const resource = api.root.addResource("example",{
    defaultMethodOptions:{
        authorizationType: apigateway.AuthorizationType.IAM
    }
})
resource.addMethod(
    "POST",
    new apigateway.HttpIntegration("https://example.org"),
    {
        authorizationType: apigateway.AuthorizationType.IAM
    }
)
resource.addMethod(  // authorizationType is inherited from the Resource's configured defaultMethodOptions
    "GET"
)

For aws-cdk-lib.aws_apigatewayv2.CfnRoute:
import {aws_apigatewayv2 as apigateway} from "aws-cdk-lib"

new apigateway.CfnRoute(this, "auth", {
    apiId: api.ref,
    routeKey: "POST /auth",
    authorizationType: "AWS_IAM",
    target: exampleIntegration
})

See

  
 AWS Documentation -
  Controlling and managing access to a REST API in API Gateway 
  
 CWE - CWE-284 - Improper Access Control 
  
 STIG Viewer - Application Security and
  Development: V-222620 - Application web servers must be on a separate network segment from the application and database servers.