Merge pull request #8 from brightcove/update_2024q2

SECENG-1343 - Update 2024Q2

Author: arevelo-bc

.github/workflows/codeql.yml

@@ -21,14 +21,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/integration_tests.yml

@@ -14,7 +14,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 

.github/workflows/unit_tests.yml

@@ -14,14 +14,14 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up Python 3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: "3.11"
           cache: 'pip' # caching pip dependencies
       - run : pip install -r requirements-dev.txt
 
       - name: Linting and formatting
-        uses: pre-commit/action@v3.0.0
+        uses: pre-commit/action@v3.0.1
         with:
           extra_args: --all-files --show-diff-on-failure
 

.pre-commit-config.yaml

@@ -34,7 +34,7 @@ repos:
         args: [--py3-plus]
         exclude: .\.tf | ^\.github/
 -   repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 24.3.0
     hooks:
     -   id: black
         args: [--line-length=120]
@@ -45,7 +45,7 @@ repos:
     -   id: bandit
         exclude: .\.tf | ^\.github/
 -   repo: https://github.com/pycqa/prospector
-    rev: v1.8.4
+    rev: v1.10.3
     hooks:
     -   id: prospector
         args:

.whitesource

@@ -1,5 +1,5 @@
 # OWASP Domain Protect
-![Release version](https://img.shields.io/badge/release-v0.4.4-blue.svg)
+![Release version](https://img.shields.io/badge/release-v0.4.7-blue.svg)
 [![Python 3.x](https://img.shields.io/badge/Python-3.x-blue.svg)](https://www.python.org/)
 [![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
 ![OWASP Maturity](https://img.shields.io/badge/owasp-incubator%20project-53AAE5.svg)

README.md

@@ -44,7 +44,7 @@ To set up the DNS mock to throw an error:
 dns_mock.add_lookup("sub.ns.co.uk", "sub.ns.co.uk", exception=dns.resolver.NoNameservers)
 ```
 
-The DNS mock is set up in a pytest fixture in `intergation_tests/conftest.py`, so to use the mock in a test simply add `dns_mock` to your tests parameter list and pytest will pass in an instance of the mock.
+The DNS mock is set up in a pytest fixture in `integration_tests/conftest.py`, so to use the mock in a test simply add `dns_mock` to your tests parameter list and pytest will pass in an instance of the mock.
 
 ### Mocking AWS
 

docs/integration-tests.md

@@ -1,7 +1,7 @@
 # Alias CloudFront
 * Deploy [aws-cloudfront](https://github.com/celidor/aws-cloudfront) using Terraform
 * This will create resources in CloudFront, S3, Certificate Manager and Route53
-* Route53 record is a CNAME pointing to the CloudFront distrubtion
+* Route53 record is a CNAME pointing to the CloudFront distribution
 * Delete the CNAME record manually via the console
 * Create an Alias record manually via the console as below
 * Delete the origin S3 bucket manually using the console

docs/test-records/alias-cloudfront.md

@@ -1,7 +1,7 @@
 # CNAME CloudFront
 * Deploy [aws-cloudfront](https://github.com/celidor/aws-cloudfront) using Terraform
 * This will create resources in CloudFront, S3, Certificate Manager and Route53
-* Route53 record is a CNAME pointing to the CloudFront distrubtion
+* Route53 record is a CNAME pointing to the CloudFront distribution
 * Delete the origin S3 bucket manually using the console
 
 ![Alt text](images/cname-cloudfront.png?raw=true "CloudFront Distribution")

docs/test-records/cname-cloudfront.md

@@ -4,6 +4,7 @@
 
 import boto3
 import pytest
+from moto import mock_cloudfront
 from moto import mock_route53
 
 from integration_tests.mocks.cloudflare_mock import CloudFlareMock
@@ -38,3 +39,10 @@ def aws_credentials():
 def moto_route53(aws_credentials):
     with mock_route53():
         yield boto3.client("route53", region_name="us-east-1")
+
+
+# pylint: disable=unused-argument
+@pytest.fixture(scope="function")
+def moto_cloudfront(aws_credentials):
+    with mock_cloudfront():
+        yield boto3.client("cloudfront", region_name="us-east-1")

integration_tests/conftest.py

@@ -0,0 +1,113 @@
+def setup_cloudfront_distribution_with_origin_url(moto_cloudfront, origin_domain_name, is_s3=True):
+    # NOTE: All the fields below are required
+    config = {
+        "Origins": {
+            "Quantity": 1,
+            "Items": [
+                {
+                    "Id": "MyOrigin",
+                    "DomainName": origin_domain_name,
+                    "S3OriginConfig": {
+                        "OriginAccessIdentity": "",
+                    },
+                },
+            ],
+        },
+        "Enabled": True,
+        "Comment": "test",
+        "CallerReference": "test",
+        "Aliases": {
+            "Quantity": 2,
+            "Items": [
+                "vulnerable.domain-protect.com",
+                "something.else.com",
+            ],
+        },
+        "DefaultCacheBehavior": {
+            "AllowedMethods": {
+                "Quantity": 2,
+                "Items": ["GET", "HEAD"],
+                "CachedMethods": {
+                    "Quantity": 2,
+                    "Items": ["GET", "HEAD"],
+                },
+            },
+            "ViewerProtocolPolicy": "allow-all",
+            "TargetOriginId": "MyOrigin",
+            "ForwardedValues": {
+                "QueryString": False,
+                "Cookies": {
+                    "Forward": "none",
+                },
+            },
+        },
+    }
+    if not is_s3:
+        del config["Origins"]["Items"][0]["S3OriginConfig"]
+        config["Origins"]["Items"][0]["CustomOriginConfig"] = {
+            "HTTPPort": 80,
+            "HTTPSPort": 443,
+            "OriginProtocolPolicy": "http-only",
+        }
+
+    distribution = moto_cloudfront.create_distribution(DistributionConfig=config)
+
+    # NOTE: From moto's documentation, this list_distributions() call is needed to "advance" the distribution to a deployed state
+    distributions = moto_cloudfront.list_distributions()
+    return distributions["DistributionList"]["Items"][0]
+
+
+def setup_hosted_zone_with_alias(moto_route53, target_dns_name):
+    hosted_zone = moto_route53.create_hosted_zone(
+        Name="domain-protect.com",
+        CallerReference="123abc",
+        HostedZoneConfig={"Comment": "", "PrivateZone": False},
+    )
+    moto_route53.change_resource_record_sets(
+        HostedZoneId=hosted_zone["HostedZone"]["Id"],
+        ChangeBatch={
+            "Comment": "Create alias record set",
+            "Changes": [
+                {
+                    "Action": "CREATE",
+                    "ResourceRecordSet": {
+                        "Name": "vulnerable.domain-protect.com",
+                        "Type": "A",
+                        "AliasTarget": {
+                            "HostedZoneId": hosted_zone["HostedZone"]["Id"],
+                            "DNSName": target_dns_name,
+                            "EvaluateTargetHealth": False,
+                        },
+                    },
+                },
+            ],
+        },
+    )
+
+
+def setup_hosted_zone_with_cname(moto_route53, target_dns_name):
+    hosted_zone = moto_route53.create_hosted_zone(
+        Name="domain-protect.com",
+        CallerReference="123abc",
+        HostedZoneConfig={"Comment": "", "PrivateZone": False},
+    )
+    moto_route53.change_resource_record_sets(
+        HostedZoneId=hosted_zone["HostedZone"]["Id"],
+        ChangeBatch={
+            "Comment": "Create CNAME record set",
+            "Changes": [
+                {
+                    "Action": "CREATE",
+                    "ResourceRecordSet": {
+                        "Name": "vulnerable.domain-protect.com",
+                        "Type": "CNAME",
+                        "ResourceRecords": [
+                            {
+                                "Value": target_dns_name,
+                            },
+                        ],
+                    },
+                },
+            ],
+        },
+    )

integration_tests/manual_scans/aws/common.py

@@ -0,0 +1,97 @@
+from unittest.mock import call
+from unittest.mock import patch
+
+import requests
+from common import setup_cloudfront_distribution_with_origin_url
+from common import setup_hosted_zone_with_alias
+
+from manual_scans.aws.aws_alias_cloudfront_s3 import main
+
+
+@patch("manual_scans.aws.aws_alias_cloudfront_s3.print_list")
+@patch("argparse.ArgumentParser")
+def test_main_detects_vulnerable_domains(arg_parse_mock, print_list_mock, moto_route53, moto_cloudfront, requests_mock):
+    cloudfront = setup_cloudfront_distribution_with_origin_url(moto_cloudfront, "my-bucket.s3.us-east-1.amazonaws.com")
+    setup_hosted_zone_with_alias(moto_route53, cloudfront["DomainName"])
+
+    requests_mock.get("https://vulnerable.domain-protect.com.", status_code=404, text="<Code>NotFound</Code>")
+    requests_mock.get("https://my-bucket.s3.us-east-1.amazonaws.com", status_code=404, text="<Code>NoSuchBucket</Code>")
+
+    main()
+
+    print_list_mock.assert_has_calls(
+        [
+            call(["vulnerable.domain-protect.com."], "INSECURE_WS"),
+            call([cloudfront["DomainName"]], "OUTPUT_WS"),
+        ],
+    )
+
+
+@patch("manual_scans.aws.aws_alias_cloudfront_s3.print_list")
+@patch("argparse.ArgumentParser")
+def test_main_ignores_non_vulnerable_domains(
+    arg_parse_mock,
+    print_list_mock,
+    moto_route53,
+    moto_cloudfront,
+    requests_mock,
+):
+    cloudfront = setup_cloudfront_distribution_with_origin_url(moto_cloudfront, "my-bucket.s3.us-east-1.amazonaws.com")
+    setup_hosted_zone_with_alias(moto_route53, cloudfront["DomainName"])
+
+    requests_mock.get("https://vulnerable.domain-protect.com.", status_code=200, text="All good here")
+
+    main()
+
+    print_list_mock.assert_not_called()
+
+
+@patch("manual_scans.aws.aws_alias_cloudfront_s3.print_list")
+@patch("argparse.ArgumentParser")
+def test_main_ignores_non_vulnerable_domains_2(
+    arg_parse_mock,
+    print_list_mock,
+    moto_route53,
+    moto_cloudfront,
+    requests_mock,
+):
+    cloudfront = setup_cloudfront_distribution_with_origin_url(moto_cloudfront, "my-bucket.s3.us-east-1.amazonaws.com")
+    setup_hosted_zone_with_alias(moto_route53, cloudfront["DomainName"])
+
+    requests_mock.get("https://vulnerable.domain-protect.com.", status_code=404, text="<Code>NotFound</Code>")
+    requests_mock.get("https://my-bucket.s3.us-east-1.amazonaws.com", status_code=200, text="All good there")
+    main()
+
+    print_list_mock.assert_not_called()
+
+
+@patch("manual_scans.aws.aws_alias_cloudfront_s3.print_list")
+@patch("argparse.ArgumentParser")
+def test_main_ignores_domains_with_non_s3_origins(
+    arg_parse_mock,
+    print_list_mock,
+    moto_route53,
+    moto_cloudfront,
+    requests_mock,
+):
+    cloudfront = setup_cloudfront_distribution_with_origin_url(
+        moto_cloudfront,
+        "non-s3-origin.example.com",
+        is_s3=False,
+    )
+    setup_hosted_zone_with_alias(moto_route53, cloudfront["DomainName"])
+
+    requests_mock.get("https://vulnerable.domain-protect.com.", status_code=404, text="<Code>NotFound</Code>")
+
+    main()
+
+    print_list_mock.assert_not_called()
+
+
+@patch("manual_scans.aws.aws_alias_cloudfront_s3.print_list")
+@patch("argparse.ArgumentParser")
+def test_main_no_cloudfront_distribution(arg_parse_mock, print_list_mock, moto_route53, moto_cloudfront, requests_mock):
+    main()
+
+    print_list_mock.assert_not_called()
+    # Implicitly, we also assert no exception is raised