Storage Share Allows All ACL Permissions
- Query id: 5ed0a5f3-6b81-4a6c-a7d1-0f1d8d9ae806
- Query name: Storage Share Allows All ACL Permissions
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: 732
- Risk score: 3.0
- URL: Github
Description¶
Azure Storage Share should not allow all ACL (Access Control List) permissions - r (read), w (write), d (delete), and l (list).
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "azurerm_storage_share_file" "positive1" {
name = "my-awesome-content.zip"
storage_share_id = azurerm_storage_share.default_storage_share.id
source = "some-local-file.zip"
}
resource "azurerm_storage_share" "default_storage_share" {
name = "sharename"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI"
access_policy {
permissions = "rwdl"
start = "2022-07-02T09:38:21.0000000Z"
expiry = "2021-07-02T10:38:21.0000000Z"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "azurerm_storage_share_file" "example" {
name = "my-awesome-content.zip"
storage_share_id = azurerm_storage_share.negative1.id
source = "some-local-file.zip"
}
resource "azurerm_storage_share" "negative1" {
name = "neg1"
storage_account_name = azurerm_storage_account.example.name
quota = 50
acl {
id = "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI"
access_policy {
permissions = "r"
start = "2022-07-02T09:38:21.0000000Z"
expiry = "2021-07-02T10:38:21.0000000Z"
}
}
}
Negative test num. 2 - tf file
resource "azurerm_storage_share" "negative2" {
name = "neg2"
storage_account_name = azurerm_storage_account.invalid_resource.name
quota = 50
acl {
id = "MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI"
access_policy {
permissions = "rwdl"
start = "2022-07-02T09:38:21.0000000Z"
expiry = "2021-07-02T10:38:21.0000000Z"
}
}
}