terraform.azure.security.appservice.appservice-enable-https-only.appservice-enable-https-only

semgrep

Author

unknown

Download Count*

License

By default, clients can connect to App Service by using both HTTP or HTTPS. HTTP should be disabled enabling the HTTPS Only setting.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: appservice-enable-https-only
    message: By default, clients can connect to App Service by using both HTTP or
      HTTPS. HTTP should be disabled enabling the HTTPS Only setting.
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_app_service" "..." {
          ...
            https_only = true
          ...
          }
      - pattern-either:
          - pattern-inside: |
              resource "azurerm_app_service" "..." {
              ...
              }
          - pattern-inside: |
              resource "azurerm_app_service" "..." {
              ...
                https_only = false
              ...
              }
    metadata:
      cwe:
        - "CWE-319: Cleartext Transmission of Sensitive Information"
      category: security
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#https_only
        - https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Mishandled Sensitive Information
    languages:
      - hcl
    severity: ERROR

Examples

appservice-enable-https-only.tf

resource "azurerm_app_service" "good_example" {
    name                       = "example-app-service"
    location                   = azurerm_resource_group.example.location
    resource_group_name        = azurerm_resource_group.example.name
    app_service_plan_id        = azurerm_app_service_plan.example.id
    https_only                 = true
}

# ruleid: appservice-enable-https-only
resource "azurerm_app_service" "bad_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
  https_only          = false
}

# ruleid: appservice-enable-https-only
resource "azurerm_app_service" "bad_example" {
  name                = "example-app-service"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  app_service_plan_id = azurerm_app_service_plan.example.id
}

Short Link: https://sg.run/GOKp