API Gateway API Protocol Not HTTPS
- Query id: 1bcdf9f0-b1aa-40a4-b8c6-cd7785836843
- Query name: API Gateway API Protocol Not HTTPS
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 319
- URL: Github
Description¶
API Gateway API protocol should be set to HTTPS
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_api_gateway_group" "apiGroup" {
name = "ApiGatewayGroup"
description = "description of the api group"
}
resource "alicloud_api_gateway_api" "apiGatewayApi" {
name = alicloud_api_gateway_group.apiGroup.name
group_id = alicloud_api_gateway_group.apiGroup.id
description = "your description"
auth_type = "APP"
force_nonce_check = false
request_config {
protocol = "HTTP"
method = "GET"
path = "/test/path1"
mode = "MAPPING"
}
service_type = "HTTP"
http_service_config {
address = "http://apigateway-backend.alicloudapi.com:8080"
method = "GET"
path = "/web/cloudapi"
timeout = 12
aone_name = "cloudapi-openapi"
}
request_parameters {
name = "aaa"
type = "STRING"
required = "OPTIONAL"
in = "QUERY"
in_service = "QUERY"
name_service = "testparams"
}
stage_names = [
"RELEASE",
"TEST",
]
}
Positive test num. 2 - tf file
resource "alicloud_api_gateway_group" "apiGroup" {
name = "ApiGatewayGroup"
description = "description of the api group"
}
resource "alicloud_api_gateway_api" "apiGatewayApi" {
name = alicloud_api_gateway_group.apiGroup.name
group_id = alicloud_api_gateway_group.apiGroup.id
description = "your description"
auth_type = "APP"
force_nonce_check = false
request_config {
protocol = "HTTP"
method = "GET"
path = "/test/path1"
mode = "MAPPING"
}
request_config {
protocol = "HTTP"
method = "GET"
path = "/test/path2"
mode = "MAPPING"
}
service_type = "HTTP"
http_service_config {
address = "http://apigateway-backend.alicloudapi.com:8080"
method = "GET"
path = "/web/cloudapi"
timeout = 12
aone_name = "cloudapi-openapi"
}
request_parameters {
name = "aaa"
type = "STRING"
required = "OPTIONAL"
in = "QUERY"
in_service = "QUERY"
name_service = "testparams"
}
stage_names = [
"RELEASE",
"TEST",
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_api_gateway_group" "apiGroup" {
name = "ApiGatewayGroup"
description = "description of the api group"
}
resource "alicloud_api_gateway_api" "apiGatewayApi" {
name = alicloud_api_gateway_group.apiGroup.name
group_id = alicloud_api_gateway_group.apiGroup.id
description = "your description"
auth_type = "APP"
force_nonce_check = false
request_config {
protocol = "HTTPS"
method = "GET"
path = "/test/path1"
mode = "MAPPING"
}
service_type = "HTTP"
http_service_config {
address = "https://apigateway-backend.alicloudapi.com:8080"
method = "GET"
path = "/web/cloudapi"
timeout = 12
aone_name = "cloudapi-openapi"
}
request_parameters {
name = "aaa"
type = "STRING"
required = "OPTIONAL"
in = "QUERY"
in_service = "QUERY"
name_service = "testparams"
}
stage_names = [
"RELEASE",
"TEST",
]
}