SQLServer Ingress From Any IP
- Query id: 25c0ea09-f1c5-4380-b055-3b83863f2bb8
- Query name: SQLServer Ingress From Any IP
- Platform: Terraform
- Severity: Critical
- Category: Networking and Firewall
- CWE: 668
- Risk score: 8.7
- URL: Github
Description¶
Check if all IPs are allowed, check from start 0.0.0.0 to end 255.255.255.255.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_sql_firewall_rule" "positive1" {
name = "FirewallRule1"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
Positive test num. 2 - tf file
resource "azurerm_mssql_firewall_rule" "positive1" {
name = "FirewallRule1"
server_id = azurerm_mssql_server.example.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
Positive test num. 3 - tf file
resource "azurerm_mariadb_firewall_rule" "example" {
name = "test-rule"
server_name = "test-server"
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
Positive test num. 6 - tf file
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_sql_firewall_rule" "negative1-1" {
name = "FirewallRule1"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_sql_firewall_rule" "negative1-2" {
name = "FirewallRule1"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255.255"
}
resource "azurerm_sql_firewall_rule" "negative1-3" {
name = "FirewallRule1"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_sql_server.example.name
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
Negative test num. 2 - tf file
resource "azurerm_mssql_firewall_rule" "negative1-1" {
name = "FirewallRule1"
server_id = azurerm_mssql_server.example.id
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_mssql_firewall_rule" "negative1-2" {
name = "FirewallRule1"
server_id = azurerm_mssql_server.example.id
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255.255"
}
resource "azurerm_mssql_firewall_rule" "negative1-3" {
name = "FirewallRule1"
server_id = azurerm_mssql_server.example.id
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
Negative test num. 3 - tf file
resource "azurerm_mariadb_firewall_rule" "negative3-1" {
name = "test-rule"
server_name = "test-server"
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_mariadb_firewall_rule" "negative3-2" {
name = "test-rule"
server_name = "test-server"
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
resource "azurerm_mariadb_firewall_rule" "negative3-3" {
name = "test-rule"
server_name = "test-server"
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255"
}
Negative test num. 4 - tf file
resource "azurerm_postgresql_firewall_rule" "negative4-1" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_postgresql_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_postgresql_firewall_rule" "negative4-2" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_postgresql_server.example.name
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
resource "azurerm_postgresql_firewall_rule" "negative4-3" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_postgresql_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255"
}
Negative test num. 5 - tf file
resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-1" {
name = "example-fw"
server_id = azurerm_postgresql_flexible_server.example.id
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-2" {
name = "example-fw"
server_id = azurerm_postgresql_flexible_server.example.id
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
resource "azurerm_postgresql_flexible_server_firewall_rule" "negative5-3" {
name = "example-fw"
server_id = azurerm_postgresql_flexible_server.example.id
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255.255"
}
Negative test num. 6 - tf file
resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-1" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_mysql_flexible_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "10.0.17.62"
}
resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-2" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_mysql_flexible_server.example.name
start_ip_address = "0.0.0.0"
end_ip_address = "10.0.17.62"
}
resource "azurerm_mysql_flexible_server_firewall_rule" "negative6-3" {
name = "office"
resource_group_name = azurerm_resource_group.example.name
server_name = azurerm_mysql_flexible_server.example.name
start_ip_address = "10.0.17.62"
end_ip_address = "255.255.255.255"
}