class Object

Public Instance Methods

blank?(str) click to toggle source

Checks a string for being missing, empty, or only containing spaces

# File lib/cfn-nag/util/blank.rb, line 4
def blank?(str)
  str.nil? || str.to_s.strip == ''
end
eval_code_in_object_scope(code) click to toggle source

This is meta-magic evil. eval apparently has lexical scope so… opening up Object to evaluate ruby code that contains top-level Class definitions

Without this, the class ends up “under” the scope of the class which in this case would be S3BucketBasedRuleRepo

rubocop:disable Security/Eval

# File lib/cfn-nag/rule_repos/s3_based_rule_repo.rb, line 19
def eval_code_in_object_scope(code)
  eval code
end
insecure_parameter?(cfn_model, key_to_check) click to toggle source

Returns false if the provided key_to_check is a no-echo parameter without a default value, or pseudo parameter reference to 'AWS::NoValue'; true otherwise. Only applicable for a hash

# File lib/cfn-nag/util/enforce_reference_parameter.rb, line 8
def insecure_parameter?(cfn_model, key_to_check)
  # We only want to perform the check against a hash
  return false unless key_to_check.is_a? Hash

  # We don't care if any other intrinsic function is used here. We only want to
  # verify that Ref is being used properly
  return false unless key_to_check.key? 'Ref'

  # Check if the property is a pseudo parameter reference to 'AWS::NoValue'
  return false if key_to_check['Ref'] == 'AWS::NoValue'

  # Run 'no_echo_and_no_default_parameter_check' if the key parameter is Ref
  return no_echo_and_no_default_parameter_check(cfn_model, key_to_check) if
    cfn_model.parameters.key? key_to_check['Ref']

  # Return true if key_to_check is a hash and/or a key Ref that does not have
  # the NoEcho parameter set to true and a Default parameter that is not nil
  true
end
insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) click to toggle source

Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise. Only applicable for a string

# File lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb, line 6
def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
  # We only want to perform the check agains a string
  return false unless key_to_check.is_a? String

  # Check if string starts with a Dynamic Reference pointing to SecretsManager
  # or SSM Secure
  # &&
  # Verify that the secure string ends properly with the double curly braces
  if key_to_check.start_with?(
    '{{resolve:secretsmanager:',
    '{{resolve:ssm-secure:'
  ) && key_to_check.end_with?('}}')
    return false
  end

  # Return true if key_to_check is a string and is not calling a secured
  # dynamic reference pattern (Secrets Manager or SSM-Secure)
  true
end
no_echo_and_no_default_parameter_check(cfn_model, key_to_check) click to toggle source

Returns false if the parameter is setup securely by stating NoEcho=true & Default is not present; otherwise returns true

# File lib/cfn-nag/util/enforce_reference_parameter.rb, line 30
def no_echo_and_no_default_parameter_check(cfn_model, key_to_check)
  parameter = cfn_model.parameters[key_to_check['Ref']]
  truthy?(parameter.noEcho) && parameter.default.nil? ? false : true
end
not_truthy?(string) click to toggle source
# File lib/cfn-nag/util/truthy.rb, line 9
def not_truthy?(string)
  string.nil? || string.to_s.casecmp('false').zero?
end
truthy?(string) click to toggle source

Checks a string for truthiness. Any cased 'true' will evaluate to a true boolean. Any other string _at all_ results in false.

# File lib/cfn-nag/util/truthy.rb, line 5
def truthy?(string)
  string.to_s.casecmp('true').zero?
end
wildcard_back(input_string, results = [], prepend: '') click to toggle source
# File lib/cfn-nag/util/wildcard_patterns.rb, line 25
def wildcard_back(input_string, results = [], prepend: '')
  return results if input_string.empty?

  results << "#{prepend}#{input_string}*"
  wildcard_back(input_string.chop, results, prepend: prepend)
end
wildcard_front(input_string, results = []) click to toggle source
# File lib/cfn-nag/util/wildcard_patterns.rb, line 32
def wildcard_front(input_string, results = [])
  return results if input_string.empty?

  results << "*#{input_string}"
  wildcard_front(input_string[1..-1], results)
end
wildcard_front_back(input_string, results = []) click to toggle source
# File lib/cfn-nag/util/wildcard_patterns.rb, line 39
def wildcard_front_back(input_string, results = [])
  return results if input_string.empty?

  results += wildcard_back(input_string, prepend: '*')
  wildcard_front_back(input_string[1..-1], results)
end
wildcard_patterns(input, pattern_types: %w[front back both]) click to toggle source

Create array of wildcard patterns for a given input string

# File lib/cfn-nag/util/wildcard_patterns.rb, line 5
def wildcard_patterns(input, pattern_types: %w[front back both])
  input_string = input.to_s
  results = [input_string]
  pattern_types.each do |pattern_type|
    case pattern_type
    when 'front'
      results += wildcard_front(input_string)
    when 'back'
      results += wildcard_back(input_string)
    when 'both'
      results += wildcard_front_back(input_string)
    else
      raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both"
    end
  end
  results + ['*']
end