feat(security): Add security checks for Azure Web Apps including Always On, public network access, client certificate requirements, remote debugging, and HTTPS-only settings

Author: GeekMasher

ql/src/reliability/WebAppAlwaysOnDisabled.md

@@ -0,0 +1,65 @@
+# Web App without Always On enabled
+
+Azure Web Apps should have the "Always On" setting enabled in production environments to ensure reliability, performance, and security. When Always On is disabled, the application may experience cold start delays and periodic shutdowns that could impact availability and security.
+
+## Recommendation
+
+Enable the "Always On" setting for all production Azure Web Apps:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      alwaysOn: true  // Enable Always On for reliability and security
+    }
+  }
+}
+```
+
+## Example
+
+### Suboptimal configuration
+
+```bicep
+resource webAppWithoutAlwaysOn 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      // Always On is not explicitly enabled, which can lead to
+      // application shutdowns and cold starts
+    }
+  }
+}
+```
+
+### Recommended configuration
+
+```bicep
+resource webAppWithAlwaysOn 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    siteConfig: {
+      alwaysOn: true  // Explicitly enable Always On
+    }
+  }
+}
+```
+
+## Why this is important
+
+When "Always On" is disabled:
+- The application can be unloaded after a period of inactivity
+- Cold starts can cause delays for users and create availability issues
+- Periodic recycling can interrupt background processes
+- Attackers could potentially exploit behavior differences between cold and warm instances
+
+## References
+* [Configure an App Service app](https://learn.microsoft.com/en-us/azure/app-service/configure-common)
+* [Azure App Service plan overview](https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans)

ql/src/reliability/WebAppAlwaysOnDisabled.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Web App without Always On enabled
+ * @description Azure Web Apps should have Always On enabled to ensure reliability and security.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.0
+ * @precision high
+ * @id bicep/webapp-always-on-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       reliability
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::SiteConfig config
+where
+  config = site.getProperties().getSiteConfig() and
+  not config.isAlwaysOn() and
+  // Only apply to production web apps, not function apps
+  site.isWebApp() and
+  not site.isFunctionApp()
+select site, "Azure Web App doesn't have Always On enabled, which can lead to poor reliability and potential security issues due to cold starts."

ql/src/security/CWE-284/WebAppPublicNetworkAccess.md

@@ -0,0 +1,65 @@
+# Web App with unrestricted public access
+
+Azure Web Apps with unrestricted public network access are potentially vulnerable to attacks from the internet. For sensitive applications, restricting network access by using Virtual Network integration or by disabling public network access provides an additional layer of security.
+
+## Recommendation
+
+Restrict public network access to your Azure Web App by either:
+
+1. Integrating with Azure Virtual Network:
+```bicep
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    virtualNetworkSubnetId: subnet.id  // Add VNet integration
+  }
+}
+```
+
+2. Or by explicitly disabling public network access (for critical applications):
+```bicep
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    publicNetworkAccess: 'Disabled'  // Disable public network access
+  }
+}
+```
+
+## Example
+
+### Insecure configuration
+
+```bicep
+resource insecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'insecureApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    // No network restrictions - accessible from anywhere
+  }
+}
+```
+
+### Secure configuration
+
+```bicep
+resource secureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secureApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    publicNetworkAccess: 'Disabled'
+    virtualNetworkSubnetId: resourceId('Microsoft.Network/virtualNetworks/subnets', 'myVNet', 'mySubnet')
+  }
+}
+```
+
+## References
+* [Azure App Service networking features](https://learn.microsoft.com/en-us/azure/app-service/networking-features)
+* [Configure regional VNet integration](https://learn.microsoft.com/en-us/azure/app-service/configure-vnet-integration-enable)
+* [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html)

ql/src/security/CWE-284/WebAppPublicNetworkAccess.ql

@@ -0,0 +1,27 @@
+/**
+ * @name Web App with unrestricted public access
+ * @description Azure Web Apps should restrict public network access to enhance security.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @precision high
+ * @id bicep/sites-public-network-access
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-284
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::Properties props
+where
+  props = site.getProperties() and
+  // Check if the site has public network access enabled (default) and no VNet integration
+  props.isPublicNetworkAccessEnabled() and
+  not exists(StringLiteral vnetSubnetId |
+    vnetSubnetId = site.getVirtualNetworkSubnetId() or
+    vnetSubnetId = props.getVirtualNetworkSubnetId()
+  )
+select site, "Azure Web App has unrestricted public network access without VNet integration, potentially increasing attack surface."

ql/src/security/CWE-295/WebAppMissingClientCert.md

@@ -0,0 +1,58 @@
+# Web App without Client Certificate requirement
+
+Azure Web Apps that handle sensitive operations should consider requiring client certificates for mutual TLS authentication. Client certificates provide an additional layer of security by ensuring that only authenticated clients with valid certificates can access the application.
+
+## Recommendation
+
+For applications handling sensitive information or operations, enable and require client certificates:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'mySecureWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    clientCertEnabled: true
+    clientCertMode: 'Required'  // Enforce client certificate validation
+  }
+  httpsOnly: true
+}
+```
+
+## Example
+
+### Incomplete configuration
+
+```bicep
+resource webAppWithIncompleteConfig 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    // Client certificates are enabled but not required
+    clientCertEnabled: true
+    // Missing clientCertMode: 'Required'
+  }
+  httpsOnly: true
+}
+```
+
+### Secure configuration
+
+```bicep
+resource secureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'mySecureWebApp'
+  location: location
+  properties: {
+    serverFarmId: appServicePlan.id
+    clientCertEnabled: true
+    clientCertMode: 'Required'  // Certificates are required
+  }
+  httpsOnly: true
+}
+```
+
+## References
+* [Configure TLS mutual authentication for Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth)
+* [Microsoft.Web/sites resource type](https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites)
+* [CWE-295: Improper Certificate Validation](https://cwe.mitre.org/data/definitions/295.html)

ql/src/security/CWE-295/WebAppMissingClientCert.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Web App without Client Certificate requirement
+ * @description Azure Web Apps handling sensitive operations should require client certificates for additional authentication.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision medium
+ * @id bicep/webapp-missing-client-cert
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-295
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site
+where
+  // Site has HTTPS enabled (showing security awareness)
+  site.isHttpsOnly() and
+  (
+    // But doesn't have client certificate enabled at the site level
+    not site.isClientCertEnabled() or
+    // Or has it enabled but not set to required in properties
+    (
+      site.isClientCertEnabled() and
+      not site.getProperties().isClientCertRequired()
+    )
+  )
+select site, "Azure Web App with HTTPS enabled doesn't require client certificates for mutual TLS authentication."

ql/src/security/CWE-306/WebAppRemoteDebuggingEnabled.md

@@ -0,0 +1,59 @@
+# Web App with Remote Debugging enabled
+
+Remote debugging should be disabled in production Azure Web Apps. When remote debugging is enabled in a production environment, it can expose sensitive information and potentially allow unauthorized access to your application.
+
+## Recommendation
+
+Disable remote debugging in production environments:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'myWebApp'
+  location: location
+  properties: {
+    siteConfig: {
+      // Ensure remote debugging is disabled
+      remoteDebuggingEnabled: false
+      // or omit the property entirely as it defaults to false
+    }
+  }
+}
+```
+
+## Example
+
+### Insecure configuration
+
+```bicep
+resource insecureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'insecureApp'
+  location: location
+  properties: {
+    siteConfig: {
+      // Remote debugging should never be enabled in production
+      remoteDebuggingEnabled: true
+      remoteDebuggingVersion: 'VS2019'
+    }
+  }
+}
+```
+
+### Secure configuration
+
+```bicep
+resource secureWebApp 'Microsoft.Web/sites@2022-03-01' = {
+  name: 'secureApp'
+  location: location
+  properties: {
+    siteConfig: {
+      // Remote debugging is explicitly disabled
+      remoteDebuggingEnabled: false
+    }
+  }
+}
+```
+
+## References
+* [Azure App Service security best practices](https://learn.microsoft.com/en-us/azure/app-service/security-recommendations)
+* [Microsoft.Web/sites resource type](https://learn.microsoft.com/en-us/azure/templates/microsoft.web/sites)
+* [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/data/definitions/306.html)

ql/src/security/CWE-306/WebAppRemoteDebuggingEnabled.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Web App with Remote Debugging enabled
+ * @description Remote debugging should be disabled in production web apps to prevent unauthorized access.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.0
+ * @precision high
+ * @id bicep/webapp-remote-debugging-enabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-306
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::SiteConfig config
+where
+  config = site.getProperties().getSiteConfig() and
+  config.isRemoteDebuggingEnabled()
+select site, "Azure Web App has remote debugging enabled, which can expose sensitive debugging information."