eslint-plugin-sonarjs
Version:
SonarJS rules for ESLint
93 lines (92 loc) • 3.88 kB
JavaScript
;
/*
* SonarQube JavaScript Plugin
* Copyright (C) 2011-2025 SonarSource SA
* mailto:info AT sonarsource DOT com
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the Sonar Source-Available License for more details.
*
* You should have received a copy of the Sonar Source-Available License
* along with this program; if not, see https://sonarsource.com/license/ssal/
*/
// https://sonarsource.github.io/rspec/#/rspec/S6317/javascript
Object.defineProperty(exports, "__esModule", { value: true });
exports.rule = void 0;
const index_js_1 = require("../helpers/index.js");
const result_js_1 = require("../helpers/result.js");
const iam_js_1 = require("../helpers/aws/iam.js");
const meta_js_1 = require("./meta.js");
const SENSITIVE_RESOURCE = /^(\*|arn:[^:]*:[^:]*:[^:]*:[^:]*:(role|user|group)\/\*)$/;
const SENSITIVE_ACTIONS = [
'cloudformation:CreateStack',
'datapipeline:CreatePipeline',
'datapipeline:PutPipelineDefinition',
'ec2:RunInstances',
'glue:CreateDevEndpoint',
'glue:UpdateDevEndpoint',
'iam:AddUserToGroup',
'iam:AttachGroupPolicy',
'iam:AttachRolePolicy',
'iam:AttachUserPolicy',
'iam:CreateAccessKey',
'iam:CreateLoginProfile',
'iam:CreatePolicyVersion',
'iam:PassRole',
'iam:PutGroupPolicy',
'iam:PutRolePolicy',
'iam:PutUserPolicy',
'iam:SetDefaultPolicyVersion',
'iam:UpdateAssumeRolePolicy',
'iam:UpdateLoginProfile',
'lambda:AddPermission',
'lambda:CreateEventSourceMapping',
'lambda:CreateFunction',
'lambda:InvokeFunction',
'lambda:UpdateFunctionCode',
'sts:AssumeRole',
];
const MESSAGES = {
message: (attackVectorName) => `This policy is vulnerable to the "${attackVectorName}" privilege escalation vector. ` +
'Remove permissions or restrict the set of resources they apply to.',
secondary: 'Permissions are granted on all resources.',
};
exports.rule = (0, iam_js_1.AwsIamPolicyTemplate)(privilegeEscalationStatementChecker, (0, index_js_1.generateMeta)(meta_js_1.meta, undefined, true));
function privilegeEscalationStatementChecker(expr, ctx, options) {
const properties = (0, result_js_1.getResultOfExpression)(ctx, expr);
const effect = (0, iam_js_1.getSensitiveEffect)(properties, ctx, options);
const resource = getSensitiveResource(properties, options);
const action = getSensitiveAction(properties, options);
if (!hasExceptionProperties(properties, options) &&
(effect.isFound || effect.isMissing) &&
resource &&
action) {
(0, index_js_1.report)(ctx, {
message: MESSAGES.message(action.value),
node: resource,
}, [(0, index_js_1.toSecondaryLocation)(action, MESSAGES.secondary)]);
}
}
function getSensitiveAction(properties, options) {
const actions = properties.getProperty(options.actions.property);
return actions.asStringLiterals().find(isSensitiveAction);
}
function getSensitiveResource(properties, options) {
const resources = properties.getProperty(options.resources.property);
return resources.asStringLiterals().find(isSensitiveResource);
}
function isSensitiveAction(action) {
return SENSITIVE_ACTIONS.includes(action.value);
}
function isSensitiveResource(resource) {
return SENSITIVE_RESOURCE.test(resource.value);
}
function hasExceptionProperties(properties, options) {
const exceptionProperties = [options.principals.property, options.conditions.property];
return exceptionProperties.some(prop => !properties.getProperty(prop).isMissing);
}