Skip to content

Commit 7292962

Browse files
committed
feat(query): Add TLS Disabled query
1 parent caf23c9 commit 7292962

File tree

5 files changed

+48
-0
lines changed

5 files changed

+48
-0
lines changed

ql/lib/codeql/bicep/Concepts.qll

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {
1212
}
1313

1414
module Cryptography {
15+
abstract class TlsDisabled extends Resource {
16+
abstract boolean isTlsDisabled();
17+
}
18+
1519
abstract class WeakTlsVersion extends Resource {
1620
abstract StringLiteral getWeakTlsVersionProperty();
1721

ql/lib/codeql/bicep/frameworks/Microsoft/Cache.qll

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,18 @@ module Cache {
7676
}
7777
}
7878

79+
class RedisCacheTlsDisabled extends RedisCacheResource, Cryptography::TlsDisabled {
80+
override boolean isTlsDisabled() {
81+
exists(boolean tlsPortDisabled | tlsPortDisabled = this.enableNonSslPort() |
82+
tlsPortDisabled = true and
83+
result = false
84+
or
85+
tlsPortDisabled = false and
86+
result = true
87+
)
88+
}
89+
}
90+
7991
module CacheProperties {
8092
/**
8193
* Represents the properties object for a Redis cache resource.
Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
| app.bicep:12:1:19:1 | RedisCacheResource | TLS is disabled for this resource |
2+
| app.bicep:22:1:29:1 | RedisCacheResource | TLS is disabled for this resource |
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
security/CWE-327/TlsDisabled.ql
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
// Bicep sample with TLS disabled for testing
2+
// Case 1: enableNonSslPort not set (should be secure)
3+
resource redis1 'Microsoft.Cache/Redis@2021-06-01' = {
4+
name: 'redis1'
5+
location: 'eastus'
6+
properties: {
7+
publicNetworkAccess: 'Enabled'
8+
}
9+
}
10+
11+
// Case 2: enableNonSslPort enabled (TLS disabled, should trigger)
12+
resource redis2 'Microsoft.Cache/Redis@2021-06-01' = {
13+
name: 'redis2'
14+
location: 'eastus'
15+
properties: {
16+
enableNonSslPort: true
17+
publicNetworkAccess: 'Enabled'
18+
}
19+
}
20+
21+
// Case 3: enableNonSslPort disabled (TLS enforced, should be secure)
22+
resource redis3 'Microsoft.Cache/Redis@2021-06-01' = {
23+
name: 'redis3'
24+
location: 'eastus'
25+
properties: {
26+
enableNonSslPort: false
27+
publicNetworkAccess: 'Enabled'
28+
}
29+
}

0 commit comments

Comments
 (0)