feat(query): Add TLS Disabled query

GeekMasher · GeekMasher · commit 7292962d50a4 · 2025-06-11T13:07:33.000+01:00
diff --git a/ql/lib/codeql/bicep/Concepts.qll b/ql/lib/codeql/bicep/Concepts.qll
@@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {
 }
 
 module Cryptography {
+  abstract class TlsDisabled extends Resource {
+    abstract boolean isTlsDisabled();
+  }
+
   abstract class WeakTlsVersion extends Resource {
     abstract StringLiteral getWeakTlsVersionProperty();
 
diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Cache.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Cache.qll
@@ -76,6 +76,18 @@ module Cache {
     }
   }
 
+  class RedisCacheTlsDisabled extends RedisCacheResource, Cryptography::TlsDisabled {
+    override boolean isTlsDisabled() {
+      exists(boolean tlsPortDisabled | tlsPortDisabled = this.enableNonSslPort() |
+        tlsPortDisabled = true and
+        result = false
+        or
+        tlsPortDisabled = false and
+        result = true
+      )
+    }
+  }
+
   module CacheProperties {
     /**
      * Represents the properties object for a Redis cache resource.
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.expected b/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.expected
@@ -0,0 +1,2 @@
+| app.bicep:12:1:19:1 | RedisCacheResource | TLS is disabled for this resource |
+| app.bicep:22:1:29:1 | RedisCacheResource | TLS is disabled for this resource |
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.qlref b/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.qlref
@@ -0,0 +1 @@
+security/CWE-327/TlsDisabled.ql
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/app.bicep b/ql/test/queries-tests/security/CWE-327/TlsDisabled/app.bicep
@@ -0,0 +1,29 @@
+// Bicep sample with TLS disabled for testing
+// Case 1: enableNonSslPort not set (should be secure)
+resource redis1 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis1'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'
+  }
+}
+
+// Case 2: enableNonSslPort enabled (TLS disabled, should trigger)
+resource redis2 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis2'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: true
+    publicNetworkAccess: 'Enabled'
+  }
+}
+
+// Case 3: enableNonSslPort disabled (TLS enforced, should be secure)
+resource redis3 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis3'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: false
+    publicNetworkAccess: 'Enabled'
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`module Cryptography {`
	`15`	`+ abstract class TlsDisabled extends Resource {`
	`16`	`+ abstract boolean isTlsDisabled();`
	`17`	`+ }`
	`18`	`+`
`15`	`19`	`abstract class WeakTlsVersion extends Resource {`
`16`	`20`	`abstract StringLiteral getWeakTlsVersionProperty();`
`17`	`21`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| app.bicep:12:1:19:1 \| RedisCacheResource \| TLS is disabled for this resource \|`
	`2`	`+\| app.bicep:22:1:29:1 \| RedisCacheResource \| TLS is disabled for this resource \|`