typescript.aws-cdk.security.awscdk-bucket-grantpublicaccessmethod.awscdk-bucket-grantpublicaccessmethod

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Using the GrantPublicAccess method on bucket contruct $X will make the objects in the bucket world accessible. Verify if this is intentional.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: awscdk-bucket-grantpublicaccessmethod
    message: Using the GrantPublicAccess method on bucket contruct $X will make the
      objects in the bucket world accessible. Verify if this is intentional.
    metadata:
      cwe:
        - "CWE-306: Missing Authentication for Critical Function"
      category: security
      technology:
        - AWS-CDK
      references:
        - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-overview.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Improper Authentication
    languages:
      - ts
    severity: WARNING
    pattern-either:
      - patterns:
          - pattern-inside: |
              import {Bucket} from '@aws-cdk/aws-s3'
              ...
          - pattern: |
              const $X = new Bucket(...)
              ...
              $X.grantPublicAccess(...)
      - patterns:
          - pattern-inside: |
              import * as $Y from '@aws-cdk/aws-s3'
              ...
          - pattern: |
              const $X = new $Y.Bucket(...)
              ...
              $X.grantPublicAccess(...)

Examples

awscdk-bucket-grantpublicaccessmethod.ts

import * as cdk from '@aws-cdk/core';
import * as s3 from '@aws-cdk/aws-s3';
import * as rename_s3  from '@aws-cdk/aws-s3';
import {Bucket} from '@aws-cdk/aws-s3';

export class CdkStarterStack extends cdk.Stack {
  constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket1 = new s3.Bucket(this, 'bucket')
    console.log('something unrelated')
    publicBucket1.grantPublicAccess()

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket2 = new s3.Bucket(this, 'bucket')
    publicBucket2.grantPublicAccess()

    // ok:awscdk-bucket-grantpublicaccessmethod
    const nonPublicBucketRenamed = new rename_s3.Bucket(this, 'bucket')

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket1Rename = new rename_s3.Bucket(this, 'bucket')
    console.log('something unrelated')
    publicBucket1Rename.grantPublicAccess()

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket2Rename = new rename_s3.Bucket(this, 'bucket')
    publicBucket2Rename.grantPublicAccess()

    // ok:awscdk-bucket-grantpublicaccessmethod
    const nonPublicBucketRename = new rename_s3.Bucket(this, 'bucket')

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket1Direct = new Bucket(this, 'bucket')
    console.log('something unrelated')
    publicBucket1Direct.grantPublicAccess()

    // ruleid:awscdk-bucket-grantpublicaccessmethod
    const publicBucket2Direct = new Bucket(this, 'bucket')
    publicBucket2Direct.grantPublicAccess()

    // ok:awscdk-bucket-grantpublicaccessmethod
    const nonPublicBucketDirect = new Bucket(this, 'bucket')
  }
}