Public Security Group Rule All Ports or Protocols
- Query id: 60587dbd-6b67-432e-90f7-a8cf1892d968
- Query name: Public Security Group Rule All Ports or Protocols
- Platform: Terraform
- Severity: High
- Category: Networking and Firewall
- CWE: 284
- URL: Github
Description¶
Alicloud Security Group Rule should not allow all ports or all protocols to the public
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "all"
nic_type = "internet"
policy = "accept"
port_range = "-1/-1"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Positive test num. 2 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "gre"
nic_type = "internet"
policy = "accept"
port_range = "-1/-1"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Positive test num. 3 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "10.159.6.18/12"
}
Negative test num. 2 - tf file
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "icmp"
nic_type = "internet"
policy = "accept"
port_range = "-1/-1"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "10.159.6.18/12"
}