SONARPY-1014 Rule S6245: Disabling server-side encryption of S3 bucket is security-sensitive (#1128)

Author: marco-bearzi-sonarsource

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -22,7 +22,9 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
+
 import org.sonar.python.checks.cdk.S3BucketBlockPublicAccessCheck;
+import org.sonar.python.checks.cdk.S3BucketServerEncryptionCheck;
 import org.sonar.python.checks.cdk.S3BucketVersioningCheck;
 import org.sonar.python.checks.hotspots.ClearTextProtocolsCheck;
 import org.sonar.python.checks.hotspots.CommandLineArgsCheck;
@@ -227,6 +229,7 @@ public static Iterable<Class> getChecks() {
       ReturnYieldOutsideFunctionCheck.class,
       RobustCipherAlgorithmCheck.class,
       S3BucketBlockPublicAccessCheck.class,
+      S3BucketServerEncryptionCheck.class,
       S3BucketVersioningCheck.class,
       SameBranchCheck.class,
       SameConditionCheck.class,
@@ -279,8 +282,7 @@ public static Iterable<Class> getChecks() {
       WeakSSLProtocolCheck.class,
       WildcardImportCheck.class,
       WrongAssignmentOperatorCheck.class,
-      XMLParserXXEVulnerableCheck.class
-    )));
+      XMLParserXXEVulnerableCheck.class)));
   }
 
 }

python-checks/src/main/java/org/sonar/python/checks/cdk/S3BucketServerEncryptionCheck.java

@@ -0,0 +1,60 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.python.tree.QualifiedExpressionImpl;
+
+@Rule(key = "S6245")
+public class S3BucketServerEncryptionCheck extends AbstractS3BucketCheck {
+
+  private static final String S3_BUCKET_UNENCRYPTED_FQN = "aws_cdk.aws_s3.BucketEncryption.UNENCRYPTED";
+  public static final String MESSAGE = "Objects in the bucket are not encrypted. Make sure it is safe here.";
+  public static final String OMITTING_MESSAGE = "Omitting 'encryption' disables server-side encryption. Make sure it is safe here.";
+
+  @Override
+  void visitBucketConstructor(SubscriptionContext ctx, CallExpression bucket) {
+    Optional<ArgumentTrace> optEncryptionType = getArgument(ctx, bucket, "encryption");
+    if (optEncryptionType.isPresent()) {
+      optEncryptionType.ifPresent(argumentTrace -> argumentTrace.addIssueIf(S3BucketServerEncryptionCheck::isUnencrypted, MESSAGE));
+    } else {
+      Optional<ArgumentTrace> optEncryptionKey = getArgument(ctx, bucket, "encryption_key");
+      if (!optEncryptionKey.isPresent()) {
+        ctx.addIssue(bucket.callee(), OMITTING_MESSAGE);
+      }
+    }
+  }
+
+  protected static boolean isUnencrypted(Expression expression) {
+    return Optional.of(expression)
+      .filter(QualifiedExpression.class::isInstance)
+      .map(QualifiedExpressionImpl.class::cast)
+      .map(QualifiedExpression::symbol)
+      .map(Symbol::fullyQualifiedName)
+      .filter(S3_BUCKET_UNENCRYPTED_FQN::equals)
+      .isPresent();
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6245.html

@@ -0,0 +1,65 @@
+<p>Server-side encryption (SSE) encrypts an object (not the metadata) as it is written to disk (where the S3 bucket resides) and decrypts it as it is
+read from disk. This doesn’t change the way the objects are accessed, as long as the user has the necessary permissions, objects are retrieved as if
+they were unencrypted. Thus, SSE only helps in the event of disk thefts, improper disposals of disks and other attacks on the AWS infrastructure
+itself.</p>
+<p>There are three SSE options:</p>
+<ul>
+  <li> Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
+    <ul>
+      <li> AWS manages encryption keys and the encryption itself (with AES-256) on its own. </li>
+    </ul>  </li>
+  <li> Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
+    <ul>
+      <li> AWS manages the encryption (AES-256) of objects and encryption keys provided by the AWS KMS service. </li>
+    </ul>  </li>
+  <li> Server-Side Encryption with Customer-Provided Keys (SSE-C)
+    <ul>
+      <li> AWS manages only the encryption (AES-256) of objects with encryption keys provided by the customer. AWS doesn’t store the customer’s
+      encryption keys. </li>
+    </ul>  </li>
+</ul>
+<h2>Ask Yourself Whether</h2>
+<ul>
+  <li> The S3 bucket stores sensitive information. </li>
+  <li> The infrastructure needs to comply to some regulations, like HIPAA or PCI DSS, and other standards. </li>
+</ul>
+<p>There is a risk if you answered yes to any of those questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<p>It’s recommended to use SSE. Choosing the appropriate option depends on the level of control required for the management of encryption keys.</p>
+<h2>Sensitive Code Example</h2>
+<p>Server-side encryption is not used:</p>
+<pre>
+bucket = s3.Bucket(self,"MyUnencryptedBucket",
+    encryption=s3.BucketEncryption.UNENCRYPTED       # Sensitive
+)
+</pre>
+<p>The default value of <code>encryption</code> is <code>KMS</code> if <code>encryptionKey</code> is set. Otherwise, if both parameters are absent the
+bucket is unencrypted.</p>
+<h2>Compliant Solution</h2>
+<p>Server-side encryption with Amazon S3-Managed Keys is used:</p>
+<pre>
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+    encryption=s3.BucketEncryption.S3_MANAGED       # Compliant
+)
+
+# Alternatively with a KMS key managed by the user.
+
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+    encryptionKey=access_key                        # Compliant
+)
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://owasp.org/Top10/A04_2021-Insecure_Design/">OWASP Top 10 2021 Category A4</a> - Insecure Design </li>
+  <li> <a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP Top 10 2021 Category A5</a> - Security Misconfiguration </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/311">MITRE, CWE-311</a> - Missing Encryption of Sensitive Data </li>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
+  </li>
+  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration">OWASP Top 10 2017 Category A6</a> - Security
+  Misconfiguration </li>
+  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html">AWS documentation</a> - Protecting data using
+  server-side encryption </li>
+  <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.BucketEncryption.html">CDK documentation</a> - BucketEncryption class
+  </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6245.json

@@ -0,0 +1,31 @@
+{
+  "title": "Disabling server-side encryption of S3 buckets is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "tags": [
+    "aws",
+    "cwe",
+    "owasp-a6",
+    "owasp-a3"
+  ],
+  "defaultSeverity": "Minor",
+  "ruleSpecification": "RSPEC-6245",
+  "sqKey": "S6245",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      311
+    ],
+    "OWASP": [
+      "A3",
+      "A6"
+    ],
+    "CIS": [
+      "2.1.1"
+    ],
+    "OWASP Top 10 2021": [
+      "A4",
+      "A5"
+    ]
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -152,6 +152,7 @@
     "S6002",
     "S6019",
     "S6035",
+    "S6245",
     "S6252",
     "S6281",
     "S6323",

python-checks/src/test/java/org/sonar/python/checks/cdk/S3BucketServerEncryptionCheckTest.java

@@ -0,0 +1,32 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.cdk;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class S3BucketServerEncryptionCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/cdk/s3BucketServerEncryption.py", new S3BucketServerEncryptionCheck());
+  }
+
+}

python-checks/src/test/resources/checks/cdk/s3BucketServerEncryption.py

@@ -0,0 +1,47 @@
+from aws_cdk import aws_s3 as s3
+
+bucket = s3.Bucket(self,"MyUnencryptedBucket") # NonCompliant {{Omitting 'encryption' disables server-side encryption. Make sure it is safe here.}}
+#        ^^^^^^^^^
+
+bucket = s3.Bucket(self,"MyUnencryptedBucket", encryption=s3.BucketEncryption.UNENCRYPTED) # NonCompliant {{Objects in the bucket are not encrypted. Make sure it is safe here.}}
+#                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption=s3.BucketEncryption.KMS_MANAGED      # Compliant
+                   )
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption=s3.BucketEncryption.S3_MANAGED          # Compliant
+                   )
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption=s3.BucketEncryption.KMS          # Compliant
+                   )
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption_key=my_encryption_key                 # Compliant
+                   )
+
+bucket = s3.Bucket(self,"MyUnencryptedBucket",
+                   encryption=s3.BucketEncryption.UNENCRYPTED, # NonCompliant {{Objects in the bucket are not encrypted. Make sure it is safe here.}}
+#                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                   encryption_key=my_encryption_key
+)
+
+type_KMS = s3.BucketEncryption.KMS
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption=type_KMS          # Compliant
+                   )
+
+my_encryption_key2 = aws_cdk.aws_kms.IKey() # Compliant
+bucket = s3.Bucket(self,"MyEncryptedBucket",
+                   encryption=s3.BucketEncryption.S3_MANAGED,
+                    encryption_key=my_encryption_key2)
+
+def create_bucket():
+    type_unencrypted = s3.BucketEncryption.UNENCRYPTED
+#   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^> {{Propagated setting.}}
+    bucket = s3.Bucket(self,"MyEncryptedBucket",
+                       encryption=type_unencrypted,     # NonCompliant {{Objects in the bucket are not encrypted. Make sure it is safe here.}}
+#                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                       encryption_key=my_encryption_key2)
+
+
+coverage = s3.Bucket(self, "bucket", encryption=unresolved_reference)  # Compliant