Google Compute Network Using Firewall Rule that Allows Port Range

  • Query id: e6f61c37-106b-449f-a5bb-81bfcaceb8b4
  • Query name: Google Compute Network Using Firewall Rule that Allows Port Range
  • Platform: Terraform
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: 285
  • URL: Github

Description

Google Compute Network should not use a firewall rule that allows port range
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_compute_firewall" "positive1" {
  name    = "test-firewall"
  network = google_compute_network.positive1.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]
  }

  source_tags = ["web"]
}

resource "google_compute_network" "positive1" {
  name = "test-network"
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_compute_firewall" "negative1" {
  name    = "test-firewall"
  network = google_compute_network.negative1.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "8080"]
  }

  source_tags = ["web"]
}

resource "google_compute_network" "negative1" {
  name = "test-network"
}