SONARPY-1012: Rule S6249: Authorizing HTTP communications with S3 buckets is security-sensitive. (#402)

GitOrigin-RevId: 27d012893267f2ecfb7b32380e70adad1e2aab2e

Author: joke1196

python-checks/src/main/java/org/sonar/python/checks/OpenSourceCheckList.java

@@ -29,6 +29,7 @@
 import org.sonar.python.checks.cdk.ResourceAccessPolicyCheck;
 import org.sonar.python.checks.cdk.S3BucketBlockPublicAccessCheck;
 import org.sonar.python.checks.cdk.S3BucketGrantedAccessCheck;
+import org.sonar.python.checks.cdk.S3BucketHTTPCommunicationCheck;
 import org.sonar.python.checks.cdk.S3BucketServerEncryptionCheck;
 import org.sonar.python.checks.cdk.S3BucketVersioningCheck;
 import org.sonar.python.checks.cdk.UnencryptedEbsVolumeCheck;
@@ -343,6 +344,7 @@ public Stream<Class<?>> getChecks() {
       RobustCipherAlgorithmCheck.class,
       S3BucketBlockPublicAccessCheck.class,
       S3BucketGrantedAccessCheck.class,
+      S3BucketHTTPCommunicationCheck.class,
       S3BucketServerEncryptionCheck.class,
       S3BucketVersioningCheck.class,
       SameBranchCheck.class,

python-checks/src/main/java/org/sonar/python/checks/cdk/S3BucketHTTPCommunicationCheck.java

@@ -0,0 +1,142 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.Optional;
+import java.util.function.BiConsumer;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Usage;
+import org.sonar.plugins.python.api.tree.AssignmentStatement;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.ListLiteral;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S6249")
+public class S3BucketHTTPCommunicationCheck extends AbstractS3BucketCheck {
+
+  private static final String MESSAGE_NO_POLICY = "No bucket policy enforces HTTPS-only access to this bucket. Make sure it is safe here.";
+  private static final String MESSAGE_HTTP_ALLOWED = "Make sure authorizing HTTP requests is safe here.";
+  private static final String POLICY_STATEMENT_FQN = "aws_cdk.aws_iam.PolicyStatement";
+
+  @Override
+  BiConsumer<SubscriptionContext, CallExpression> visitBucketConstructor() {
+    return S3BucketHTTPCommunicationCheck::checkBucketConstructor;
+  }
+
+  private static void checkBucketConstructor(SubscriptionContext ctx, CallExpression bucketConstructorCall) {
+
+    var enforceSslArg = CdkUtils.getArgument(ctx, bucketConstructorCall, "enforce_ssl");
+
+    if (enforceSslArg.isEmpty()) {
+      // No enforce_ssl parameter specified
+      // check if this bucket has add_to_resource_policy calls and a correct policy statement
+      getBucketPolicy(bucketConstructorCall)
+        .flatMap(S3BucketHTTPCommunicationCheck::getPolicyStatementConstructor)
+        .ifPresentOrElse(policyStatementConstructorCall -> visitPolicyStatement(ctx, policyStatementConstructorCall),
+          () -> ctx.addIssue(bucketConstructorCall.callee(), MESSAGE_NO_POLICY));
+    } else {
+      enforceSslArg.get().addIssueIf(CdkPredicate.isFalse(), MESSAGE_HTTP_ALLOWED, bucketConstructorCall);
+    }
+  }
+
+  private static Optional<CallExpression> getBucketPolicy(CallExpression bucketConstructor) {
+    return Optional.ofNullable(TreeUtils.firstAncestorOfKind(bucketConstructor, Tree.Kind.ASSIGNMENT_STMT))
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(AssignmentStatement.class))
+      .flatMap(S3BucketHTTPCommunicationCheck::getFirstAndOnlyAssignedVariable)
+      .flatMap(TreeUtils.toOptionalInstanceOfMapper(Name.class))
+      .flatMap(S3BucketHTTPCommunicationCheck::getAddToResourcePolicyCall);
+  }
+
+  private static Optional<Expression> getFirstAndOnlyAssignedVariable(AssignmentStatement assignmentStatement) {
+    return assignmentStatement.lhsExpressions().stream()
+      .filter(lhs -> lhs.expressions().size() == 1)
+      .map(lhs -> lhs.expressions().get(0))
+      .findFirst();
+  }
+
+  private static Optional<CallExpression> getAddToResourcePolicyCall(Name variableName) {
+    var symbol = TreeUtils.getSymbolFromTree(variableName);
+    if (symbol.isEmpty()) {
+      return Optional.empty();
+    }
+
+    // Check if the usage is part of a qualified expression like "bucket.add_to_resource_policy"
+    return symbol.get().usages().stream()
+      .filter(usage -> usage.kind() != Usage.Kind.ASSIGNMENT_LHS)
+      .map(usage -> usage.tree().parent())
+      .flatMap(TreeUtils.toStreamInstanceOfMapper(QualifiedExpression.class))
+      .filter(qualifiedExpr -> CdkPredicate.isFqn("add_to_resource_policy").test(qualifiedExpr.name()))
+      .map(QualifiedExpression::parent)
+      .flatMap(TreeUtils.toStreamInstanceOfMapper(CallExpression.class))
+      .findFirst();
+  }
+
+  private static Optional<CallExpression> getPolicyStatementConstructor(CallExpression addResourceToPolicyCall) {
+    if (!addResourceToPolicyCall.arguments().isEmpty()) {
+      return Optional.of(addResourceToPolicyCall.arguments().get(0))
+        .flatMap(TreeUtils.toOptionalInstanceOfMapper(RegularArgument.class))
+        .map(RegularArgument::expression)
+        .flatMap(TreeUtils.toOptionalInstanceOfMapper(CallExpression.class))
+        .filter(CdkPredicate.isFqn(POLICY_STATEMENT_FQN)::test);
+    }
+    return Optional.empty();
+  }
+
+  private static void visitPolicyStatement(SubscriptionContext ctx, CallExpression policyStatementConstructorCall) {
+    if (!isPolicyCompliantForHttpsDeny(ctx, policyStatementConstructorCall)) {
+      ctx.addIssue(policyStatementConstructorCall.callee(), MESSAGE_HTTP_ALLOWED);
+    }
+  }
+
+  private static boolean isPolicyCompliantForHttpsDeny(SubscriptionContext ctx, CallExpression policyStatementConstructorCall) {
+    // A compliant policy should have at least the following keyword arguments:
+    // 1. effect=iam.Effect.DENY
+    // 2. resources=["*"] (wildcard)
+    // 3. actions=["s3:*"] (wildcard)
+    // 4. principals=["*"] (wildcard)
+    // 5. conditions=["SecureTransport:False"] 
+
+    boolean hasDenyEffect = hasArgumentWithFqn(ctx, policyStatementConstructorCall, "effect", "aws_cdk.aws_iam.Effect.DENY");
+    boolean hasWildcardResources = argumentListContainsExpectedValue(ctx, policyStatementConstructorCall, "resources", "*");
+    boolean hasWildcardActions = argumentListContainsExpectedValue(ctx, policyStatementConstructorCall, "actions", "s3:*");
+    boolean hasWildcardPrincipals = argumentListContainsExpectedValue(ctx, policyStatementConstructorCall, "principals", "*");
+    boolean hasSecureTransportCondition = argumentListContainsExpectedValue(ctx, policyStatementConstructorCall, "conditions", "SecureTransport:False");
+
+    return hasDenyEffect && hasWildcardResources && hasWildcardActions && hasWildcardPrincipals && hasSecureTransportCondition;
+  }
+
+  private static boolean hasArgumentWithFqn(SubscriptionContext ctx, CallExpression call, String argName, String expectedFqn) {
+    return CdkUtils.getArgument(ctx, call, argName)
+      .map(flow -> flow.hasExpression(CdkPredicate.isFqn(expectedFqn)))
+      .orElse(false);
+  }
+
+  private static boolean argumentListContainsExpectedValue(SubscriptionContext ctx, CallExpression call, String argName, String expectedValue) {
+    return CdkUtils.getArgument(ctx, call, argName)
+      .flatMap(flow -> flow.getExpression(e -> e.is(Tree.Kind.LIST_LITERAL)))
+      .map(ListLiteral.class::cast)
+      .map(list -> list.elements().expressions().stream()
+        .anyMatch(expr -> CdkUtils.getString(expr).filter(expectedValue::equals).isPresent()))
+      .orElse(false);
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6249.html

@@ -0,0 +1,70 @@
+<p>By default, S3 buckets can be accessed through HTTP and HTTPs protocols.</p>
+<p>As HTTP is a clear-text protocol, it lacks the encryption of transported data, as well as the capability to build an authenticated connection. It
+means that a malicious actor who is able to intercept traffic from the network can read, modify or corrupt the transported content.</p>
+<h2>Ask Yourself Whether</h2>
+<ul>
+  <li> The S3 bucket stores sensitive information. </li>
+  <li> The infrastructure has to comply with AWS Foundational Security Best Practices standard. </li>
+</ul>
+<p>There is a risk if you answered yes to any of those questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<p>It’s recommended to deny all HTTP requests:</p>
+<ul>
+  <li> for all objects (<code>*</code>) of the bucket </li>
+  <li> for all principals (<code>*</code>) </li>
+  <li> for all actions (<code>*</code>) </li>
+</ul>
+<h2>Sensitive Code Example</h2>
+<p>No secure policy is attached to this bucket:</p>
+<pre>
+import aws_cdk.aws_s3 as s3
+import aws_cdk.aws_iam as iam
+
+bucket = s3.Bucket(self, "bucket") # Sensitive
+</pre>
+<p>A policy is defined but forces only HTTPs communication for some users, some objects of the bucket and for some actions:</p>
+<pre>
+bucket = s3.Bucket(self, "bucket")
+bucket.add_to_resource_policy(iam.PolicyStatement(     # Sensitive
+    effect=iam.Effect.DENY,
+    resources=[bucket.bucket_arn],
+    actions=["s3:SomeAction"],
+    principals=[roles],
+    conditions=[{"Bool": {"aws:SecureTransport": False}}]
+    )
+)
+</pre>
+<h2>Compliant Solution</h2>
+<p>A bucket policy that complies with s3-bucket-ssl-requests-only rule should be used. To adhere to it, the bucket policies need to explicitly deny
+access to HTTP requests.</p>
+<p>A secure policy that enforces SSL on requests (default: False):</p>
+<pre>
+bucket = S3.Bucket(self,
+    "bucket",
+    enforce_ssl=True
+)
+</pre>
+<p>A secure policy that denies all HTTP requests is used:</p>
+<pre>
+bucket = s3.Bucket(self, "bucket")
+
+result = bucket.add_to_resource_policy(iam.PolicyStatement(
+    effect=iam.Effect.DENY,
+    resources=["*"],
+    actions=["s3:*"],
+    principals=["*"],
+    conditions=["SecureTransport:False"]
+    )
+)
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html#transit">AWS documentation</a> - Enforce encryption
+  of data in transit </li>
+  <li> <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5">AWS Foundational Security
+  Best Practices controls</a> - S3 buckets should require requests to use Secure Socket Layer </li>
+  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/319">CWE-319 - Cleartext Transmission of Sensitive Information</a> </li>
+  <li> <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-5">AWS Foundational Security
+  Best Practices controls</a> - S3 buckets should require requests to use Secure Socket Layer </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6249.json

@@ -0,0 +1,36 @@
+{
+  "title": "Authorizing HTTP communications with S3 buckets is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "COMPLETE"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "10min"
+  },
+  "tags": [
+    "aws",
+    "cwe"
+  ],
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-6249",
+  "sqKey": "S6249",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      319
+    ],
+    "PCI DSS 3.2": [
+      "4.1",
+      "6.5.4"
+    ],
+    "PCI DSS 4.0": [
+      "4.2.1",
+      "6.2.4"
+    ]
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -168,6 +168,7 @@
     "S6002",
     "S6019",
     "S6035",
+    "S6249",
     "S6252",
     "S6265",
     "S6270",

python-checks/src/test/java/org/sonar/python/checks/cdk/S3BucketHTTPCommunicationCheckTest.java

@@ -0,0 +1,30 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonar.python.checks.cdk;
+
+import org.junit.jupiter.api.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+class S3BucketHTTPCommunicationCheckTest {
+
+  @Test
+  void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/cdk/s3BucketHTTPCommunication.py", new S3BucketHTTPCommunicationCheck());
+  }
+
+}
+