feat(security): Add checks and documentation for remote debugging, insecure FTPS state, and TLS version in Azure Web Apps

Author: GeekMasher

ql/src/security/CWE-306/WebAppRemoteDebugging.md

@@ -0,0 +1,41 @@
+# Remote debugging enabled in Web App
+
+Enabling remote debugging in production Azure Web Apps is a security risk. Remote debugging allows developers to connect to and debug the web application remotely, which can expose sensitive information and potentially allow unauthorized access to the application.
+
+## Recommendation
+
+Disable remote debugging in production environments. Remote debugging should only be enabled temporarily for development and troubleshooting purposes, and should be disabled once troubleshooting is complete.
+
+## Example
+
+Insecure configuration:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp'
+  properties: {
+    siteConfig: {
+      remoteDebuggingEnabled: true
+    }
+  }
+}
+```
+
+Secure configuration:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp'
+  properties: {
+    siteConfig: {
+      remoteDebuggingEnabled: false // or omit this property as it defaults to false
+    }
+  }
+}
+```
+
+## References
+
+* [Azure Web App Security Best Practices](https://learn.microsoft.com/en-us/azure/app-service/security-recommendations)
+* [Remote debugging in Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/configure-language-dotnet-framework#remote-debugging)
+* [Common Weakness Enumeration: CWE-306](https://cwe.mitre.org/data/definitions/306.html)

ql/src/security/CWE-306/WebAppRemoteDebugging.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Remote debugging enabled in Web App
+ * @description Enabling remote debugging in production Azure Web Apps is a security risk.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id bicep/webapp-remote-debugging
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-306
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::SiteConfig config
+where
+  config = site.getProperties().getSiteConfig() and
+  config.isRemoteDebuggingEnabled()
+select site, "Azure Web App has remote debugging enabled, which should not be used in production environments"

ql/src/security/CWE-319/InsecureWebAppFtpsState.md

@@ -0,0 +1,63 @@
+# Insecure FTPS state in Web App
+
+Using insecure FTP or allowing both FTP and FTPS in Azure Web Apps can expose sensitive credentials and data. FTP (File Transfer Protocol) transmits data and credentials in plaintext, which can be intercepted by attackers through network sniffing.
+
+## Recommendation
+
+Use secure file transfer by setting the `ftpsState` property to `FtpsOnly` to enforce FTPS (FTP Secure), which encrypts the connection. If file transfer is not needed, consider setting it to `Disabled`.
+
+## Example
+
+Insecure configurations:
+
+```bicep
+// Allows both FTP and FTPS
+resource webApp1 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp1'
+  properties: {
+    siteConfig: {
+      ftpsState: 'AllAllowed'
+    }
+  }
+}
+
+// Only allows insecure FTP
+resource webApp2 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp2'
+  properties: {
+    siteConfig: {
+      ftpsState: 'FtpOnly'
+    }
+  }
+}
+```
+
+Secure configurations:
+
+```bicep
+// Only allows secure FTPS
+resource webApp3 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp3'
+  properties: {
+    siteConfig: {
+      ftpsState: 'FtpsOnly'
+    }
+  }
+}
+
+// Disables both FTP and FTPS
+resource webApp4 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp4'
+  properties: {
+    siteConfig: {
+      ftpsState: 'Disabled'
+    }
+  }
+}
+```
+
+## References
+
+* [Azure Web App Security Best Practices](https://learn.microsoft.com/en-us/azure/app-service/security-recommendations)
+* [FTP/S connection settings for Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/configure-ftp-deploy)
+* [Common Weakness Enumeration: CWE-319](https://cwe.mitre.org/data/definitions/319.html)

ql/src/security/CWE-319/InsecureWebAppFtpsState.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Insecure FTPS state in Web App
+ * @description Using insecure FTP or allowing both FTP and FTPS in Azure Web Apps can expose sensitive credentials and data.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.8
+ * @precision high
+ * @id bicep/insecure-webapp-ftps-state
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-319
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::SiteConfig config, StringLiteral ftpsState
+where
+  config = site.getProperties().getSiteConfig() and
+  ftpsState = config.getFtpsState() and
+  (
+    ftpsState.getValue() = "AllAllowed" or
+    ftpsState.getValue() = "FtpOnly"
+  )
+select site, "Azure Web App allows insecure FTP protocol: " + ftpsState.getValue() + ". Use 'FtpsOnly' or 'Disabled' instead."

ql/src/security/CWE-319/InsecureWebAppTlsVersion.actual

@@ -0,0 +1,41 @@
+# Insecure TLS version in Web App
+
+Using an insecure TLS version (TLS 1.0 or TLS 1.1) in an Azure Web App may lead to security vulnerabilities. These older TLS versions have known security weaknesses that can be exploited by attackers.
+
+## Recommendation
+
+Configure Web Apps to use at least TLS 1.2 by setting the `minTlsVersion` property to "1.2".
+
+## Example
+
+Insecure configuration:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp'
+  properties: {
+    siteConfig: {
+      minTlsVersion: '1.1'
+    }
+  }
+}
+```
+
+Secure configuration:
+
+```bicep
+resource webApp 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp'
+  properties: {
+    siteConfig: {
+      minTlsVersion: '1.2'
+    }
+  }
+}
+```
+
+## References
+
+* [Azure Web App Security Best Practices](https://learn.microsoft.com/en-us/azure/app-service/security-recommendations)
+* [Transport Layer Security (TLS) - Azure App Service](https://learn.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-tls-versions)
+* [Common Weakness Enumeration: CWE-319](https://cwe.mitre.org/data/definitions/319.html)

ql/src/security/CWE-319/InsecureWebAppTlsVersion.md

@@ -0,0 +1,26 @@
+/**
+ * @name Insecure TLS version in Web App
+ * @description Using an insecure TLS version in an Azure Web App may lead to security vulnerabilities.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.1
+ * @precision high
+ * @id bicep/insecure-webapp-tls-version
+ * @tags security
+ *       bicep
+ *       azure
+ *       CWE-319
+ */
+
+import bicep
+import codeql.bicep.frameworks.Microsoft.Web
+
+from Web::SitesResource site, Web::SitesProperties::SiteConfig config, StringLiteral tlsVersion
+where
+  config = site.getProperties().getSiteConfig() and
+  tlsVersion = config.getMinTlsVersion() and
+  (
+    tlsVersion.getValue() = "1.0" or
+    tlsVersion.getValue() = "1.1"
+  )
+select site, "Azure Web App configured with insecure TLS version: " + tlsVersion.getValue()

ql/src/security/CWE-319/InsecureWebAppTlsVersion.ql

@@ -0,0 +1,2 @@
+| app.bicep:4:1:12:1 | AppService[webAppBad1] | Azure Web App has remote debugging enabled, which should not be used in production environments |
+| app.bicep:15:1:24:1 | AppService[webAppBad2] | Azure Web App has remote debugging enabled, which should not be used in production environments |

ql/test/queries-tests/security/CWE-306/WebAppRemoteDebugging/WebAppRemoteDebugging.expected

@@ -0,0 +1 @@
+security/CWE-306/WebAppRemoteDebugging.ql

ql/test/queries-tests/security/CWE-306/WebAppRemoteDebugging/WebAppRemoteDebugging.qlref

@@ -0,0 +1,46 @@
+// Test cases for WebAppRemoteDebugging.ql
+
+// BAD: Remote debugging is enabled
+resource webAppBad1 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp-bad1'
+  location: 'eastus'
+  properties: {
+    siteConfig: {
+      remoteDebuggingEnabled: true
+    }
+  }
+}
+
+// BAD: Remote debugging is enabled with a specific version
+resource webAppBad2 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp-bad2'
+  location: 'eastus'
+  properties: {
+    siteConfig: {
+      remoteDebuggingEnabled: true
+      remoteDebuggingVersion: 'VS2019'
+    }
+  }
+}
+
+// GOOD: Remote debugging is explicitly disabled
+resource webAppGood1 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp-good1'
+  location: 'eastus'
+  properties: {
+    siteConfig: {
+      remoteDebuggingEnabled: false
+    }
+  }
+}
+
+// GOOD: Remote debugging is not specified (defaults to disabled)
+resource webAppGood2 'Microsoft.Web/sites@2021-03-01' = {
+  name: 'mywebapp-good2'
+  location: 'eastus'
+  properties: {
+    siteConfig: {
+      // No remoteDebuggingEnabled property
+    }
+  }
+}