SONARPY-1011 Rule S6265: Granting access to S3 buckets to all or authenticated users is security-sensitive (#1129)

Author: marco-bearzi-sonarsource

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -24,6 +24,7 @@
 import java.util.HashSet;
 
 import org.sonar.python.checks.cdk.S3BucketBlockPublicAccessCheck;
+import org.sonar.python.checks.cdk.S3BucketGrantedAccessCheck;
 import org.sonar.python.checks.cdk.S3BucketServerEncryptionCheck;
 import org.sonar.python.checks.cdk.S3BucketVersioningCheck;
 import org.sonar.python.checks.hotspots.ClearTextProtocolsCheck;
@@ -229,6 +230,7 @@ public static Iterable<Class> getChecks() {
       ReturnYieldOutsideFunctionCheck.class,
       RobustCipherAlgorithmCheck.class,
       S3BucketBlockPublicAccessCheck.class,
+      S3BucketGrantedAccessCheck.class,
       S3BucketServerEncryptionCheck.class,
       S3BucketVersioningCheck.class,
       SameBranchCheck.class,

python-checks/src/main/java/org/sonar/python/checks/cdk/AbstractS3BucketCheck.java

@@ -37,14 +37,14 @@
 
 public abstract class AbstractS3BucketCheck extends PythonSubscriptionCheck {
 
-  private static final String S3_BUCKET_FQN = "aws_cdk.aws_s3.Bucket";
+  protected static final String S3_BUCKET_FQN = "aws_cdk.aws_s3.Bucket";
 
   @Override
   public void initialize(Context context) {
     context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::visitNode);
   }
 
-  private void visitNode(SubscriptionContext ctx) {
+  protected void visitNode(SubscriptionContext ctx) {
     CallExpression node = (CallExpression) ctx.syntaxNode();
     Optional.ofNullable(node.calleeSymbol())
       .map(Symbol::fullyQualifiedName)
@@ -80,6 +80,7 @@ private static ArgumentTrace build(SubscriptionContext ctx, RegularArgument argu
       buildTrace(argument.expression(), trace);
       return new ArgumentTrace(ctx, trace);
     }
+
     private static void buildTrace(Expression expression, List<Expression> trace) {
       trace.add(expression);
       if (expression.is(Tree.Kind.NAME)) {

python-checks/src/main/java/org/sonar/python/checks/cdk/S3BucketGrantedAccessCheck.java

@@ -0,0 +1,107 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.cdk;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Optional;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.ImportFrom;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.Tree;
+
+@Rule(key = "S6265")
+public class S3BucketGrantedAccessCheck extends AbstractS3BucketCheck {
+
+  public static final String MESSAGE_POLICY = "Make sure granting %s access is safe here.";
+  public static final String MESSAGE_GRANT = "Make sure allowing unrestricted access to objects from this bucket is safe here.";
+  private static final String S3_BUCKET_DEPLOYMENT_FQN = "aws_cdk.aws_s3_deployment.BucketDeployment";
+  private static final String S3_BUCKET_AUTHENTICATED_READ = "aws_cdk.aws_s3.BucketAccessControl.AUTHENTICATED_READ";
+  private static final String S3_BUCKET_PUBLIC_READ = "aws_cdk.aws_s3.BucketAccessControl.PUBLIC_READ";
+  private static final String S3_BUCKET_PUBLIC_READ_WRITE = "aws_cdk.aws_s3.BucketAccessControl.PUBLIC_READ_WRITE";
+  private static final List<String> S3_BUCKET_FQNS = Arrays.asList(S3_BUCKET_FQN, S3_BUCKET_DEPLOYMENT_FQN);
+  private static final List<String> S3_BUCKET_SENSITIVE_POLICIES = Arrays.asList(S3_BUCKET_AUTHENTICATED_READ, S3_BUCKET_PUBLIC_READ, S3_BUCKET_PUBLIC_READ_WRITE);
+
+  private boolean isAwsCdkImported = false;
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.FILE_INPUT, ctx -> isAwsCdkImported = false);
+    context.registerSyntaxNodeConsumer(Tree.Kind.IMPORT_FROM, this::checkAWSImport);
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::visitNode);
+  }
+
+  private void checkAWSImport(SubscriptionContext ctx) {
+    ImportFrom imports = (ImportFrom) ctx.syntaxNode();
+    Optional.ofNullable(imports.module())
+      .filter(dottedName -> dottedName.names()
+        .stream()
+        .map(Name::name)
+        .anyMatch("aws_cdk"::equals))
+      .ifPresent(n -> isAwsCdkImported = true);
+  }
+
+  @Override
+  protected void visitNode(SubscriptionContext ctx) {
+    CallExpression node = (CallExpression) ctx.syntaxNode();
+    Optional<Symbol> symbol = Optional.ofNullable(node.calleeSymbol());
+
+    symbol
+      .map(Symbol::fullyQualifiedName)
+      .filter(S3_BUCKET_FQNS::contains)
+      .ifPresent(s -> visitBucketConstructor(ctx, node));
+
+    if (isAwsCdkImported) {
+      symbol
+        .map(Symbol::name)
+        .filter("grant_public_access"::equals)
+        .ifPresent(s -> ctx.addIssue(node.callee(), MESSAGE_GRANT));
+    }
+  }
+
+  @Override
+  void visitBucketConstructor(SubscriptionContext ctx, CallExpression bucket) {
+    getArgument(ctx, bucket, "access_control")
+      .ifPresent(argument -> argument.addIssueIf(this::isSensitivePolicy, getSensitivePolicyMessage(argument)));
+  }
+
+  protected boolean isSensitivePolicy(Expression expression) {
+    return Optional.ofNullable(expression)
+      .filter(QualifiedExpression.class::isInstance)
+      .map(QualifiedExpression.class::cast)
+      .map(QualifiedExpression::symbol)
+      .map(Symbol::fullyQualifiedName)
+      .filter(S3_BUCKET_SENSITIVE_POLICIES::contains)
+      .isPresent();
+  }
+
+  private static String getSensitivePolicyMessage(ArgumentTrace argumentTrace){
+    Expression lastExpression = argumentTrace.trace()
+      .get(argumentTrace.trace().size()-1);
+    String attribute = ((QualifiedExpression) lastExpression).name().name();
+    return String.format(MESSAGE_POLICY, attribute);
+  }
+
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6265.html

@@ -0,0 +1,59 @@
+<p>Predefined permissions, also known as <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl">canned ACLs</a>,
+are an easy way to grant large privileges to predefined groups or users.</p>
+<p>The following canned ACLs are security-sensitive:</p>
+<ul>
+  <li> <code>PUBLIC_READ</code>, <code>PUBLIC_READ_WRITE</code> grant respectively "read" and "read and write" privileges to everyone in the world
+  (<code>AllUsers</code> group). </li>
+  <li> <code>AUTHENTICATED_READ</code> grants "read" privilege to all authenticated users (<code>AuthenticatedUsers</code> group). </li>
+</ul>
+<h2>Ask Yourself Whether</h2>
+<ul>
+  <li> The S3 bucket stores sensitive data. </li>
+  <li> The S3 bucket is not used to store static resources of websites (images, css …​). </li>
+</ul>
+<p>There is a risk if you answered yes to any of those questions.</p>
+<h2>Recommended Secure Coding Practices</h2>
+<p>It’s recommended to implement the least privilege policy, i.e., to grant necessary permissions only to users for their required tasks. In the
+context of canned ACL, set it to <code>PRIVATE</code> (the default one), and if needed more granularity then use an appropriate S3 policy.</p>
+<h2>Sensitive Code Example</h2>
+<p>All users (ie: anyone in the world authenticated or not) have read and write permissions with the <code>PUBLIC_READ_WRITE</code> access
+control:</p>
+<pre>
+bucket = s3.Bucket(self,
+    "bucket",
+    access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # Sensitive
+)
+
+# Another example
+s3deploy.BucketDeployment(self,
+    "DeployWebsite",
+    ...,
+    access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # Sensitive
+)
+</pre>
+<h2>Compliant Solution</h2>
+<p>With the <code>PRIVATE</code> access control (default), only the bucket owner has the read/write permissions on the buckets and its ACL.</p>
+<pre>
+bucket = s3.Bucket(self, "bucket",
+    access_control=s3.BucketAccessControl.PRIVATE       # Compliant
+)
+
+# Another example
+s3deploy.BucketDeployment(self, "DeployWebsite",
+    access_control=s3.BucketAccessControl.PRIVATE       # Compliant
+)
+</pre>
+<h2>See</h2>
+<ul>
+  <li> <a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP Top 10 2021 Category A1</a> - Broken Access Control </li>
+  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html#canned-acl">AWS Documentation</a> - Access control list (ACL)
+  overview (canned ACLs) </li>
+  <li> <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/walkthrough1.html">AWS Documentation</a> - Controlling access to a bucket with
+  user policies </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/732">MITRE, CWE-732</a> - Incorrect Permission Assignment for Critical Resource </li>
+  <li> <a href="https://cwe.mitre.org/data/definitions/284">MITRE, CWE-284</a> - Improper Access Control </li>
+  <li> <a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control">OWASP Top 10 2017 Category A5</a> - Broken Access Control
+  </li>
+  <li> <a href="https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html">AWS CDK version 2</a> - Class Bucket (construct) </li>
+</ul>
+

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/S6265.json

@@ -0,0 +1,33 @@
+{
+  "title": "Granting access to S3 buckets to all or authenticated users is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "5min"
+  },
+  "tags": [
+    "aws",
+    "cwe",
+    "owasp-a5"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6265",
+  "sqKey": "S6265",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      284,
+      732
+    ],
+    "OWASP": [
+      "A5"
+    ],
+    "CIS": [
+      "3.3"
+    ],
+    "OWASP Top 10 2021": [
+      "A1"
+    ]
+  }
+}

python-checks/src/main/resources/org/sonar/l10n/py/rules/python/Sonar_way_profile.json

@@ -154,6 +154,7 @@
     "S6035",
     "S6245",
     "S6252",
+    "S6265",
     "S6281",
     "S6323",
     "S6326",

python-checks/src/test/java/org/sonar/python/checks/cdk/S3BucketGrantedAccessCheckTest.java

@@ -0,0 +1,37 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks.cdk;
+
+import org.junit.Test;
+import org.sonar.python.checks.utils.PythonCheckVerifier;
+
+public class S3BucketGrantedAccessCheckTest {
+
+  @Test
+  public void test() {
+    PythonCheckVerifier.verify("src/test/resources/checks/cdk/s3BucketGrantedAccess.py", new S3BucketGrantedAccessCheck());
+  }
+
+  @Test
+  public void noImport() {
+    PythonCheckVerifier.verifyNoIssue("src/test/resources/checks/cdk/s3BucketGrantedAccess_noImport.py", new S3BucketGrantedAccessCheck());
+  }
+
+}

python-checks/src/test/resources/checks/cdk/s3BucketGrantedAccess.py

@@ -0,0 +1,64 @@
+from aws_cdk import aws_s3 as s3, aws_s3_deployment as s3deploy
+
+
+bucket = s3.Bucket(self, "bucket")  # Compliant by default
+bucket.grant_public_access()  # NonCompliant
+
+def grant_noncompliant():
+    s1 = s3.Bucket(self, "BucketToDeploy")
+    s2 = s1
+    s2.grant_public_access()  # NonCompliant {{Make sure allowing unrestricted access to objects from this bucket is safe here.}}
+#   ^^^^^^^^^^^^^^^^^^^^^^
+
+    foo = Foo()
+    # FP : due to the fact we check whether aws_cdk is imported and the below function is called
+    foo.grant_public_access() # NonCompliant {{Make sure allowing unrestricted access to objects from this bucket is safe here.}}
+
+bucket = s3.Bucket(self, "bucket",
+                   access_control=s3.bar.WHAT_EVER       # Compliant
+                   )
+
+bucket = s3.Bucket(self, "bucket",
+                   access_control=s3.BucketAccessControl.PRIVATE       # Compliant
+                   )
+
+bucket = s3.Bucket(self, "bucket",
+                   access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # NonCompliant {{Make sure granting PUBLIC_READ_WRITE access is safe here.}}
+#                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                   )
+
+bucket = s3.Bucket(self, "bucket",
+                   access_control=s3.BucketAccessControl.PUBLIC_READ     # NonCompliant {{Make sure granting PUBLIC_READ access is safe here.}}
+                   )
+
+bucket = s3.Bucket(self, "bucket",
+                   access_control=s3.BucketAccessControl.AUTHENTICATED_READ     # NonCompliant {{Make sure granting AUTHENTICATED_READ access is safe here.}}
+                   )
+
+def create_public_bucket():
+    control1 = s3.BucketAccessControl.PUBLIC_READ
+#   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^> {{Propagated setting.}}
+    bucket = s3.Bucket(self, "bucket",
+                       access_control=control1     # NonCompliant {{Make sure granting PUBLIC_READ access is safe here.}}
+#                      ^^^^^^^^^^^^^^^^^^^^^^^
+                       )
+
+
+bucket_to_deplay = s3.Bucket(self, "BucketToDeploy")
+
+s3deploy.BucketDeployment(self, "Deploy",                                   # Compliant
+                          sources=[s3deploy.Source.asset("./deploy-dist")],
+                          destination_bucket=bucket_to_deploy
+)
+
+s3deploy.BucketDeployment(self, "Deploy2",
+                          destination_bucket=bucket_to_deploy,
+                          access_control=s3.BucketAccessControl.PUBLIC_READ_WRITE     # NonCompliant {{Make sure granting PUBLIC_READ_WRITE access is safe here.}}
+#                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                          )
+
+s3deploy.BucketDeployment(self, "Deploy3",
+                          destination_bucket=bucket_to_deploy,
+                          access_control=s3.BucketAccessControl.PRIVATE       # Compliant
+                          )
+

python-checks/src/test/resources/checks/cdk/s3BucketGrantedAccess_noImport.py

@@ -0,0 +1,3 @@
+def grant_compliant():
+    foo = Foo()
+    foo.grant_public_access() # Compliant since no aws_cdk import