Merge pull request #5 from GitHubSecurityLab/crypto-tls-disabled

GeekMasher · web-flow · commit eb8fb26ca4dc · 2025-06-11T13:10:26.000+01:00
feat(query): Add TLS Disabled query
diff --git a/ql/lib/codeql/bicep/Concepts.qll b/ql/lib/codeql/bicep/Concepts.qll
@@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {
 }
 
 module Cryptography {
+  abstract class TlsDisabled extends Resource {
+    abstract boolean isTlsDisabled();
+  }
+
   abstract class WeakTlsVersion extends Resource {
     abstract StringLiteral getWeakTlsVersionProperty();
 
diff --git a/ql/lib/codeql/bicep/frameworks/Microsoft/Cache.qll b/ql/lib/codeql/bicep/frameworks/Microsoft/Cache.qll
@@ -76,6 +76,18 @@ module Cache {
     }
   }
 
+  class RedisCacheTlsDisabled extends RedisCacheResource, Cryptography::TlsDisabled {
+    override boolean isTlsDisabled() {
+      exists(boolean tlsPortDisabled | tlsPortDisabled = this.enableNonSslPort() |
+        tlsPortDisabled = true and
+        result = false
+        or
+        tlsPortDisabled = false and
+        result = true
+      )
+    }
+  }
+
   module CacheProperties {
     /**
      * Represents the properties object for a Redis cache resource.
diff --git a/ql/src/security/CWE-327/TlsDisabled.md b/ql/src/security/CWE-327/TlsDisabled.md
@@ -0,0 +1,44 @@
+# TLS Disabled
+
+Disabling TLS (Transport Layer Security) exposes resources to unencrypted network traffic, making them vulnerable to interception and attacks. Always ensure TLS is enabled for all network-accessible resources.
+
+## Bad Example
+The following Bicep resource has `enableNonSslPort` set to `true`, which disables TLS and allows unencrypted connections:
+
+```bicep
+resource redis 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'myredis'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: true
+    publicNetworkAccess: 'Enabled'
+  }
+}
+```
+
+## Good Example
+The following Bicep resources either do not set `enableNonSslPort` (defaulting to secure) or explicitly set it to `false`, ensuring TLS is enforced:
+
+```bicep
+// TLS enforced by default (property not set)
+resource redis1 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis1'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'
+  }
+}
+
+// TLS explicitly enforced
+resource redis2 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis2'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: false
+    publicNetworkAccess: 'Enabled'
+  }
+}
+```
+
+## Recommendation
+Always leave `enableNonSslPort` unset or set it to `false` to ensure all connections are encrypted using TLS.
diff --git a/ql/src/security/CWE-327/TlsDisabled.ql b/ql/src/security/CWE-327/TlsDisabled.ql
@@ -0,0 +1,18 @@
+/**
+ * @name TLS Disabled
+ * @description Detects resources where TLS is disabled, which is insecure.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 8.5
+ * @precision high
+ * @id bicep/tls-disabled
+ * @tags security
+ *       bicep
+ *       azure
+ *       cryptography
+ */
+import bicep
+
+from Cryptography::TlsDisabled resource
+where resource.isTlsDisabled() = true
+select resource, "TLS is disabled for this resource"
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.expected b/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.expected
@@ -0,0 +1,2 @@
+| app.bicep:12:1:19:1 | RedisCacheResource | TLS is disabled for this resource |
+| app.bicep:22:1:29:1 | RedisCacheResource | TLS is disabled for this resource |
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.qlref b/ql/test/queries-tests/security/CWE-327/TlsDisabled/TlsDisabled.qlref
@@ -0,0 +1 @@
+security/CWE-327/TlsDisabled.ql
diff --git a/ql/test/queries-tests/security/CWE-327/TlsDisabled/app.bicep b/ql/test/queries-tests/security/CWE-327/TlsDisabled/app.bicep
@@ -0,0 +1,29 @@
+// Bicep sample with TLS disabled for testing
+// Case 1: enableNonSslPort not set (should be secure)
+resource redis1 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis1'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Enabled'
+  }
+}
+
+// Case 2: enableNonSslPort enabled (TLS disabled, should trigger)
+resource redis2 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis2'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: true
+    publicNetworkAccess: 'Enabled'
+  }
+}
+
+// Case 3: enableNonSslPort disabled (TLS enforced, should be secure)
+resource redis3 'Microsoft.Cache/Redis@2021-06-01' = {
+  name: 'redis3'
+  location: 'eastus'
+  properties: {
+    enableNonSslPort: false
+    publicNetworkAccess: 'Enabled'
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,10 @@ abstract class PublicResource extends Resource {`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`module Cryptography {`
	`15`	`+ abstract class TlsDisabled extends Resource {`
	`16`	`+ abstract boolean isTlsDisabled();`
	`17`	`+ }`
	`18`	`+`
`15`	`19`	`abstract class WeakTlsVersion extends Resource {`
`16`	`20`	`abstract StringLiteral getWeakTlsVersionProperty();`
`17`	`21`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| app.bicep:12:1:19:1 \| RedisCacheResource \| TLS is disabled for this resource \|`
	`2`	`+\| app.bicep:22:1:29:1 \| RedisCacheResource \| TLS is disabled for this resource \|`