File tree Expand file tree Collapse file tree 5 files changed +48
-0
lines changed
test/queries-tests/security/CWE-327/TlsDisabled Expand file tree Collapse file tree 5 files changed +48
-0
lines changed Original file line number Diff line number Diff line change @@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {
12
12
}
13
13
14
14
module Cryptography {
15
+ abstract class TlsDisabled extends Resource {
16
+ abstract boolean isTlsDisabled ( ) ;
17
+ }
18
+
15
19
abstract class WeakTlsVersion extends Resource {
16
20
abstract StringLiteral getWeakTlsVersionProperty ( ) ;
17
21
Original file line number Diff line number Diff line change @@ -76,6 +76,18 @@ module Cache {
76
76
}
77
77
}
78
78
79
+ class RedisCacheTlsDisabled extends RedisCacheResource , Cryptography:: TlsDisabled {
80
+ override boolean isTlsDisabled ( ) {
81
+ exists ( boolean tlsPortDisabled | tlsPortDisabled = this .enableNonSslPort ( ) |
82
+ tlsPortDisabled = true and
83
+ result = false
84
+ or
85
+ tlsPortDisabled = false and
86
+ result = true
87
+ )
88
+ }
89
+ }
90
+
79
91
module CacheProperties {
80
92
/**
81
93
* Represents the properties object for a Redis cache resource.
Original file line number Diff line number Diff line change
1
+ | app.bicep:12:1:19:1 | RedisCacheResource | TLS is disabled for this resource |
2
+ | app.bicep:22:1:29:1 | RedisCacheResource | TLS is disabled for this resource |
Original file line number Diff line number Diff line change
1
+ security/CWE-327/TlsDisabled.ql
Original file line number Diff line number Diff line change
1
+ // Bicep sample with TLS disabled for testing
2
+ // Case 1: enableNonSslPort not set (should be secure)
3
+ resource redis1 'Microsoft.Cache/Redis@2021-06-01' = {
4
+ name : 'redis1'
5
+ location : 'eastus'
6
+ properties : {
7
+ publicNetworkAccess : 'Enabled'
8
+ }
9
+ }
10
+
11
+ // Case 2: enableNonSslPort enabled (TLS disabled, should trigger)
12
+ resource redis2 'Microsoft.Cache/Redis@2021-06-01' = {
13
+ name : 'redis2'
14
+ location : 'eastus'
15
+ properties : {
16
+ enableNonSslPort : true
17
+ publicNetworkAccess : 'Enabled'
18
+ }
19
+ }
20
+
21
+ // Case 3: enableNonSslPort disabled (TLS enforced, should be secure)
22
+ resource redis3 'Microsoft.Cache/Redis@2021-06-01' = {
23
+ name : 'redis3'
24
+ location : 'eastus'
25
+ properties : {
26
+ enableNonSslPort : false
27
+ publicNetworkAccess : 'Enabled'
28
+ }
29
+ }
You can’t perform that action at this time.
0 commit comments