terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-dns-key-specs-rsasha1
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_dns_managed_zone" "..." {
          ...
          dnssec_config {
              ...
              default_key_specs {
                  ...
                  algorithm  = "rsasha1"
                  key_type   = "zoneSigning"
                  ...
              }
              ...
          }
          ...
          }
      - pattern-inside: |
          resource "google_dns_managed_zone" "..." {
          ...
          dnssec_config {
              ...
              default_key_specs {
                  ...
                  algorithm  = "rsasha1"
                  key_type   = "keySigning"
                  ...
              }
              ...
          }
          ...
          }
    message: "Ensure that RSASHA1 is not used for the zone-signing and key-signing
      keys in Cloud DNS DNSSEC\t"
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

gcp-dns-key-specs-rsasha1.tf

# fail
# ruleid: gcp-dns-key-specs-rsasha1
resource "google_dns_managed_zone" "fail" {
    name        = "example-zone"
    dns_name    = "example-de13he3.com."
    description = "Example DNS zone"
    dnssec_config {
        state = on
        default_key_specs {
            algorithm  = "rsasha1"
            key_length = 1024
            key_type   = "zoneSigning"
        }
        default_key_specs {
            algorithm = "rsasha1"
            key_length = 2048
            key_type = "keySigning"
        }
    }
}

# ok: gcp-dns-key-specs-rsasha1
resource "google_dns_managed_zone" "success" {
    name        = "example-zone"
    dns_name    = "example-de13he3.com."
    description = "Example DNS zone"
    dnssec_config {
        state = on
        default_key_specs {
            algorithm  = "rsasha256"
            key_length = 1024
            key_type   = "zoneSigning"
        }
        default_key_specs {
            algorithm = "rsasha256"
            key_length = 2048
            key_type = "keySigning"
        }
    }
}