All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.python.checks.cdk.PublicApiIsSecuritySensitiveCheck Maven / Gradle / Ivy

There is a newer version: 4.23.0.17664
Show newest version
/*
 * SonarQube Python Plugin
 * Copyright (C) 2011-2024 SonarSource SA
 * mailto:info AT sonarsource DOT com
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the Sonar Source-Available License for more details.
 *
 * You should have received a copy of the Sonar Source-Available License
 * along with this program; if not, see https://sonarsource.com/license/ssal/
 */
package org.sonar.python.checks.cdk;

import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import org.sonar.check.Rule;
import org.sonar.plugins.python.api.PythonVisitorContext;
import org.sonar.plugins.python.api.SubscriptionContext;
import org.sonar.plugins.python.api.symbols.Symbol;
import org.sonar.plugins.python.api.tree.CallExpression;
import org.sonar.plugins.python.api.tree.Expression;
import org.sonar.plugins.python.api.tree.FunctionDef;
import org.sonar.plugins.python.api.tree.Tree;
import org.sonar.python.tree.FunctionDefImpl;
import org.sonar.python.tree.TreeUtils;

import static org.sonar.python.checks.cdk.CdkPredicate.isFqn;
import static org.sonar.python.checks.cdk.CdkPredicate.isString;
import static org.sonar.python.checks.cdk.CdkUtils.getArgument;
import static org.sonar.python.checks.cdk.CdkUtils.getDictionary;
import static org.sonar.python.checks.cdk.CdkUtils.getDictionaryPair;

@Rule(key = "S6333")
public class PublicApiIsSecuritySensitiveCheck extends AbstractCdkResourceCheck {
  private static final String MESSAGE = "Make sure that creating public APIs is safe here.";
  private static final String OMITTING_MESSAGE = "Omitting \"authorization_type\" disables authentication. Make sure it is safe here.";
  private static final String AUTHORIZATION_TYPE = "authorization_type";
  private static final String AUTHORIZATION_TYPE_NONE = "aws_cdk.aws_apigateway.AuthorizationType.NONE";

  private final Set safeMethods = new HashSet<>();

  @Override
  public void scanFile(PythonVisitorContext visitorContext) {
    super.scanFile(visitorContext);
    safeMethods.clear();
  }

  @Override
  protected void registerFqnConsumer() {
    checkFqns(List.of("aws_cdk.aws_apigateway.CfnMethod", "aws_cdk.aws_apigatewayv2.CfnRoute"), (subscriptionContext, callExpression) ->
      getArgument(subscriptionContext, callExpression, AUTHORIZATION_TYPE).ifPresentOrElse(
        argument -> argument.addIssueIf(isString("NONE"), MESSAGE),
        () -> subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE)
      )
    );

    checkFqns(List.of("aws_cdk.aws_apigateway.RestApi", "aws_cdk.aws_apigateway.Resource.add_resource"), (subscriptionContext, callExpression) ->
      getArgument(subscriptionContext, callExpression, "default_method_options").ifPresent(
        argument -> {
          if (isArgumentSafe(subscriptionContext, argument)) {
            // if invocation of RestApi() or Resource.add_resource() is with the safe default, and it's in the method,
            // then store the method's full qualified name in safeMethods
            enclosingMethodFqn(callExpression).ifPresent(safeMethods::add);
          }
        }
      )
    );

    checkFqn("aws_cdk.aws_apigateway.Resource.add_method", (subscriptionContext, callExpression) ->
      getArgument(subscriptionContext, callExpression, AUTHORIZATION_TYPE).ifPresentOrElse(
        argument -> argument.addIssueIf(isFqn(AUTHORIZATION_TYPE_NONE), MESSAGE),
        () -> enclosingMethodFqn(callExpression).filter(fqn -> !safeMethods.contains(fqn)).ifPresent(fnq ->
          // if the invocation of Resource.add_method() is without explicit authorization_type argument,
          // and it's not in the scope of safeMethod the call, then it's considered unsafe
          // this is the best possible approximation for now
          subscriptionContext.addIssue(callExpression.callee(), OMITTING_MESSAGE)
        )
      )
    );
  }

  private static Optional enclosingMethodFqn(Tree tree) {
    FunctionDef functionDef = (FunctionDef) TreeUtils.firstAncestorOfKind(tree, Tree.Kind.FUNCDEF);
    return Optional.ofNullable(functionDef)
      .map(FunctionDefImpl.class::cast)
      .map(FunctionDefImpl::functionSymbol)
      .map(Symbol::fullyQualifiedName);
  }

  private static boolean isArgumentSafe(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow argument) {
    return !(isUnsafeSafeDictionaryAuthorisationKey(subscriptionContext, argument.getLast())
      || isUnsafeAuthorisationArgument(subscriptionContext, argument));
  }

  private static boolean isUnsafeSafeDictionaryAuthorisationKey(SubscriptionContext ctx, Expression expression) {
    return getDictionary(expression)
      .flatMap(dictionary -> getDictionaryPair(ctx, dictionary, AUTHORIZATION_TYPE))
      .filter(element -> isFqn(AUTHORIZATION_TYPE_NONE).test(element.value.getLast()))
      .isPresent();
  }

  private static boolean isUnsafeAuthorisationArgument(SubscriptionContext subscriptionContext, CdkUtils.ExpressionFlow expression) {
    return expression.getExpression(isCallExpression().and(isFqn("aws_cdk.aws_apigateway.MethodOptions")))
      .flatMap(expr -> getArgument(subscriptionContext, (CallExpression) expr, AUTHORIZATION_TYPE))
      .filter(expr -> expr.hasExpression(isFqn(AUTHORIZATION_TYPE_NONE)))
      .isPresent();
  }

  public static Predicate isCallExpression() {
    return expression -> expression.is(Tree.Kind.CALL_EXPR);
  }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy