terraform.aws.best-practice.missing-alb-drop-http-headers.missing-alb-drop-http-headers

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Detected a AWS load balancer that is not configured to drop invalid HTTP headers. Add drop_invalid_header_fields = true in your resource block.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-alb-drop-http-headers
    severity: WARNING
    languages:
      - hcl
    message: Detected a AWS load balancer that is not configured to drop invalid
      HTTP headers. Add `drop_invalid_header_fields = true` in your resource
      block.
    metadata:
      category: best-practice
      technology:
        - aws
        - terraform
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_lb" $ENABLED {
                ...
              }
          - pattern: |
              resource "aws_alb" $ENABLED {
                ...
              }
      - pattern-not-inside: |
          resource $ANYTHING $ENABLED {
            ...
            drop_invalid_header_fields = true
            ...
          }

Examples

missing-alb-drop-http-headers.tf

# Copyright 2019 Bridgecrew
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ok: missing-alb-drop-http-headers
resource "aws_lb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  drop_invalid_header_fields = true
}

# ok: missing-alb-drop-http-headers
resource "aws_alb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  drop_invalid_header_fields = true
}

# ruleid: missing-alb-drop-http-headers
resource "aws_lb" "default" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}

# ruleid: missing-alb-drop-http-headers
resource "aws_alb" "default" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}

# ruleid: missing-alb-drop-http-headers
resource "aws_lb" "disabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  drop_invalid_header_fields = false
}

# ruleid: missing-alb-drop-http-headers
resource "aws_alb" "disabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  drop_invalid_header_fields = false
}