eslint-plugin-sonarjs/cjs/S6317/rule.js

SonarJS rules for ESLint

"use strict";
/*
 * SonarQube JavaScript Plugin
 * Copyright (C) 2011-2025 SonarSource SA
 * mailto:info AT sonarsource DOT com
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the Sonar Source-Available License for more details.
 *
 * You should have received a copy of the Sonar Source-Available License
 * along with this program; if not, see https://sonarsource.com/license/ssal/
 */
// https://sonarsource.github.io/rspec/#/rspec/S6317/javascript
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    var desc = Object.getOwnPropertyDescriptor(m, k);
    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
      desc = { enumerable: true, get: function() { return m[k]; } };
    }
    Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
    o["default"] = v;
});
var __importStar = (this && this.__importStar) || (function () {
    var ownKeys = function(o) {
        ownKeys = Object.getOwnPropertyNames || function (o) {
            var ar = [];
            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
            return ar;
        };
        return ownKeys(o);
    };
    return function (mod) {
        if (mod && mod.__esModule) return mod;
        var result = {};
        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
        __setModuleDefault(result, mod);
        return result;
    };
})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.rule = void 0;
const index_js_1 = require("../helpers/index.js");
const result_js_1 = require("../helpers/result.js");
const iam_js_1 = require("../helpers/aws/iam.js");
const meta = __importStar(require("./generated-meta.js"));
const SENSITIVE_RESOURCE = /^(\*|arn:[^:]*:[^:]*:[^:]*:[^:]*:(role|user|group)\/\*)$/;
const SENSITIVE_ACTIONS = [
    'cloudformation:CreateStack',
    'datapipeline:CreatePipeline',
    'datapipeline:PutPipelineDefinition',
    'ec2:RunInstances',
    'glue:CreateDevEndpoint',
    'glue:UpdateDevEndpoint',
    'iam:AddUserToGroup',
    'iam:AttachGroupPolicy',
    'iam:AttachRolePolicy',
    'iam:AttachUserPolicy',
    'iam:CreateAccessKey',
    'iam:CreateLoginProfile',
    'iam:CreatePolicyVersion',
    'iam:PassRole',
    'iam:PutGroupPolicy',
    'iam:PutRolePolicy',
    'iam:PutUserPolicy',
    'iam:SetDefaultPolicyVersion',
    'iam:UpdateAssumeRolePolicy',
    'iam:UpdateLoginProfile',
    'lambda:AddPermission',
    'lambda:CreateEventSourceMapping',
    'lambda:CreateFunction',
    'lambda:InvokeFunction',
    'lambda:UpdateFunctionCode',
    'sts:AssumeRole',
];
const MESSAGES = {
    message: (attackVectorName) => `This policy is vulnerable to the "${attackVectorName}" privilege escalation vector. ` +
        'Remove permissions or restrict the set of resources they apply to.',
    secondary: 'Permissions are granted on all resources.',
};
exports.rule = (0, iam_js_1.AwsIamPolicyTemplate)(privilegeEscalationStatementChecker, (0, index_js_1.generateMeta)(meta));
function privilegeEscalationStatementChecker(expr, ctx, options) {
    const properties = (0, result_js_1.getResultOfExpression)(ctx, expr);
    const effect = (0, iam_js_1.getSensitiveEffect)(properties, ctx, options);
    const resource = getSensitiveResource(properties, options);
    const action = getSensitiveAction(properties, options);
    if (!hasExceptionProperties(properties, options) &&
        (effect.isFound || effect.isMissing) &&
        resource &&
        action) {
        (0, index_js_1.report)(ctx, {
            message: MESSAGES.message(action.value),
            node: resource,
        }, [(0, index_js_1.toSecondaryLocation)(action, MESSAGES.secondary)]);
    }
}
function getSensitiveAction(properties, options) {
    const actions = properties.getProperty(options.actions.property);
    return actions.asStringLiterals().find(isSensitiveAction);
}
function getSensitiveResource(properties, options) {
    const resources = properties.getProperty(options.resources.property);
    return resources.asStringLiterals().find(isSensitiveResource);
}
function isSensitiveAction(action) {
    return SENSITIVE_ACTIONS.includes(action.value);
}
function isSensitiveResource(resource) {
    return SENSITIVE_RESOURCE.test(resource.value);
}
function hasExceptionProperties(properties, options) {
    const exceptionProperties = [options.principals.property, options.conditions.property];
    return exceptionProperties.some(prop => !properties.getProperty(prop).isMissing);
}