feat(security): Enhance Redis Cache security checks and add expected results for backup and authentication configurations

Author: GeekMasher

ql/src/security/CWE-400/RedisCacheUnsafeMemoryPolicy.ql

@@ -21,5 +21,5 @@ where
   config = redis.getRedisConfiguration() and
   unsafePolicy = config.maxMemoryPolicy() and
   unsafePolicy in ["allkeys-lru", "allkeys-random", "volatile-lru", "volatile-random", "volatile-ttl"]
-select redis,
+select config,
   "Redis Cache '" + redis.getName() + "' uses potentially unsafe memory policy '" + unsafePolicy + "' which may cause unexpected data loss."

ql/src/security/CWE-693/RedisCacheNoBackup.md

@@ -1,6 +1,6 @@
 # Redis Cache without data backup
 
-Redis Cache instances without backup configuration risk data loss in case of failures or disasters. This issue falls under [CWE-693: Protection Mechanism Failure](https://cwe.mitre.org/data/definitions/693.html), as it represents a failure to protect critical data.
+Redis Cache instances with both AOF and RDB backups disabled risk data loss in case of failures or disasters. This issue falls under [CWE-693: Protection Mechanism Failure](https://cwe.mitre.org/data/definitions/693.html), as it represents a failure to protect critical data.
 
 ## Problem Description
 
@@ -9,7 +9,7 @@ Azure Cache for Redis offers two types of persistence options:
 1. RDB (Redis Database) snapshots - periodic full backups
 2. AOF (Append Only File) persistence - continuous logging of write operations
 
-When neither backup method is enabled, the Redis cache becomes vulnerable to data loss from:
+When both backup methods are disabled or not configured, the Redis cache becomes vulnerable to data loss from:
 
 - Service outages or crashes
 - Accidental data deletion

ql/src/security/CWE-693/RedisCacheNoBackup.ql

@@ -1,6 +1,6 @@
 /**
  * @name Redis Cache without data backup
- * @description Redis Cache without data backup configuration risks data loss in case of failures.
+ * @description Redis Cache with both AOF and RDB backups disabled risks data loss in case of failures.
  * @kind problem
  * @problem.severity warning
  * @security-severity 3.5
@@ -14,14 +14,31 @@
 
 import bicep
 import codeql.bicep.Concepts
-import codeql.bicep.frameworks.Microsoft.Cache
 
-from Cache::RedisCacheResource redis, Cache::CacheProperties::RedisConfiguration config 
-where 
-  config = redis.getRedisConfiguration() and
+from Expr output, Cache::RedisCacheResource redis, Cache::CacheProperties::RedisConfiguration config
+where
+  // If the resource doesn't have a Redis configuration, its an issue.
+  not exists(redis.getRedisConfiguration()) and
+  output = redis.getProperties()
+  or
   (
-    not exists(string aofBackupEnabled | aofBackupEnabled = config.aofBackupEnabled()) and
-    not exists(string rdbBackupEnabled | rdbBackupEnabled = config.rdbBackupEnabled())
+    // We only consider Redis Cache resources that have a configuration.
+    config = redis.getRedisConfiguration() and
+    // If they don't have any backup enabled, we consider it a risk.
+    (
+      not config.hasAofBackupEnabled() and
+      not config.hasRdbBackupEnabled() and
+      output = config
+    )
+    or
+    config.hasAofBackupEnabled() and
+    config.aofBackupEnabled() = "false" and
+    output = config
+    or
+    config.hasRdbBackupEnabled() and
+    config.rdbBackupEnabled() = "false" and
+    output = config
   )
-select redis,
-  "Redis Cache '" + redis.getName() + "' does not have either AOF or RDB backups enabled, risking data loss."
+select output,
+  "Redis Cache '" + redis.getName() +
+    "' has both AOF and RDB backups disabled (or not configured), risking data loss."

ql/test/queries-tests/security/CWE-284/RedisCachePublicNetwork/RedisCachePublicNetwork.expected

@@ -0,0 +1 @@
+| app.bicep:13:1:19:1 | RedisCacheResource | Redis Cache 'public-redis' has public network access enabled, exposing it to the internet. |

ql/test/queries-tests/security/CWE-306/RedisCacheNoAuth/RedisCacheNoAuth.expected

@@ -0,0 +1 @@
+| app.bicep:26:1:34:1 | RedisCacheResource | Redis Cache 'noauth-redis' has authentication disabled, allowing unauthenticated access. |

ql/test/queries-tests/security/CWE-319/RedisCacheNonSslPort/RedisCacheNonSslPort.expected

@@ -0,0 +1,2 @@
+| app.bicep:14:1:20:1 | RedisCacheResource | Redis Cache 'insecure-redis' has non-SSL port enabled, which allows unencrypted connections. |
+| app.bicep:23:1:29:1 | RedisCacheResource | Redis Cache 'explicit-default-redis' has non-SSL port enabled, which allows unencrypted connections. |

ql/test/queries-tests/security/CWE-400/RedisCacheUnsafeMemoryPolicy/RedisCacheUnsafeMemoryPolicy.expected

@@ -0,0 +1,5 @@
+| app.bicep:19:25:21:5 | RedisConfiguration | Redis Cache 'unsafe-memory-1-redis' uses potentially unsafe memory policy 'allkeys-lru' which may cause unexpected data loss. |
+| app.bicep:30:25:32:5 | RedisConfiguration | Redis Cache 'unsafe-memory-2-redis' uses potentially unsafe memory policy 'allkeys-random' which may cause unexpected data loss. |
+| app.bicep:41:25:43:5 | RedisConfiguration | Redis Cache 'unsafe-memory-3-redis' uses potentially unsafe memory policy 'volatile-lru' which may cause unexpected data loss. |
+| app.bicep:52:25:54:5 | RedisConfiguration | Redis Cache 'unsafe-memory-4-redis' uses potentially unsafe memory policy 'volatile-random' which may cause unexpected data loss. |
+| app.bicep:63:25:65:5 | RedisConfiguration | Redis Cache 'unsafe-memory-5-redis' uses potentially unsafe memory policy 'volatile-ttl' which may cause unexpected data loss. |

ql/test/queries-tests/security/CWE-693/RedisCacheNoBackup/RedisCacheNoBackup.expected

@@ -0,0 +1,6 @@
+| app.bicep:62:15:69:3 | Object | Redis Cache 'nobackup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |
+| app.bicep:82:25:85:5 | Object | Redis Cache 'aof-backup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |
+| app.bicep:82:25:85:5 | Object | Redis Cache 'both-backup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |
+| app.bicep:82:25:85:5 | Object | Redis Cache 'disabled-backup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |
+| app.bicep:82:25:85:5 | Object | Redis Cache 'nobackup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |
+| app.bicep:82:25:85:5 | Object | Redis Cache 'rdb-backup-redis' has both AOF and RDB backups disabled (or not configured), risking data loss. |

ql/test/queries-tests/security/CWE-798/RedisCacheNoAAD/RedisCacheNoAAD.expected

@@ -0,0 +1,2 @@
+| app.bicep:15:1:23:1 | RedisCacheResource | Redis Cache 'no-aad-redis' is not using Azure Active Directory (AAD) authentication. |
+| app.bicep:26:1:34:1 | RedisCacheResource | Redis Cache 'disabled-aad-redis' is not using Azure Active Directory (AAD) authentication. |