class Object
Public Instance Methods
Checks a string for being missing, empty, or only containing spaces
# File lib/cfn-nag/util/blank.rb, line 4 def blank?(str) str.nil? || str.to_s.strip == '' end
This is meta-magic evil. eval apparently has lexical scope so… opening up Object
to evaluate ruby code that contains top-level Class definitions
Without this, the class ends up “under” the scope of the class which in this case would be S3BucketBasedRuleRepo
rubocop:disable Security/Eval
# File lib/cfn-nag/rule_repos/s3_based_rule_repo.rb, line 19 def eval_code_in_object_scope(code) eval code end
Returns false if the provided key_to_check is a no-echo parameter without a default value, or pseudo parameter reference to 'AWS::NoValue'; true otherwise. Only applicable for a hash
# File lib/cfn-nag/util/enforce_reference_parameter.rb, line 8 def insecure_parameter?(cfn_model, key_to_check) # We only want to perform the check against a hash return false unless key_to_check.is_a? Hash # We don't care if any other intrinsic function is used here. We only want to # verify that Ref is being used properly return false unless key_to_check.key? 'Ref' # Check if the property is a pseudo parameter reference to 'AWS::NoValue' return false if key_to_check['Ref'] == 'AWS::NoValue' # Run 'no_echo_and_no_default_parameter_check' if the key parameter is Ref return no_echo_and_no_default_parameter_check(cfn_model, key_to_check) if cfn_model.parameters.key? key_to_check['Ref'] # Return true if key_to_check is a hash and/or a key Ref that does not have # the NoEcho parameter set to true and a Default parameter that is not nil true end
Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise. Only applicable for a string
# File lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb, line 6 def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) # We only want to perform the check agains a string return false unless key_to_check.is_a? String # Check if string starts with a Dynamic Reference pointing to SecretsManager # or SSM Secure # && # Verify that the secure string ends properly with the double curly braces if key_to_check.start_with?( '{{resolve:secretsmanager:', '{{resolve:ssm-secure:' ) && key_to_check.end_with?('}}') return false end # Return true if key_to_check is a string and is not calling a secured # dynamic reference pattern (Secrets Manager or SSM-Secure) true end
Returns false if the parameter is setup securely by stating NoEcho=true & Default is not present; otherwise returns true
# File lib/cfn-nag/util/enforce_reference_parameter.rb, line 30 def no_echo_and_no_default_parameter_check(cfn_model, key_to_check) parameter = cfn_model.parameters[key_to_check['Ref']] truthy?(parameter.noEcho) && parameter.default.nil? ? false : true end
# File lib/cfn-nag/util/truthy.rb, line 9 def not_truthy?(string) string.nil? || string.to_s.casecmp('false').zero? end
Checks a string for truthiness. Any cased 'true' will evaluate to a true boolean. Any other string _at all_ results in false.
# File lib/cfn-nag/util/truthy.rb, line 5 def truthy?(string) string.to_s.casecmp('true').zero? end
# File lib/cfn-nag/util/wildcard_patterns.rb, line 25 def wildcard_back(input_string, results = [], prepend: '') return results if input_string.empty? results << "#{prepend}#{input_string}*" wildcard_back(input_string.chop, results, prepend: prepend) end
# File lib/cfn-nag/util/wildcard_patterns.rb, line 32 def wildcard_front(input_string, results = []) return results if input_string.empty? results << "*#{input_string}" wildcard_front(input_string[1..-1], results) end
# File lib/cfn-nag/util/wildcard_patterns.rb, line 39 def wildcard_front_back(input_string, results = []) return results if input_string.empty? results += wildcard_back(input_string, prepend: '*') wildcard_front_back(input_string[1..-1], results) end
Create array of wildcard patterns for a given input string
# File lib/cfn-nag/util/wildcard_patterns.rb, line 5 def wildcard_patterns(input, pattern_types: %w[front back both]) input_string = input.to_s results = [input_string] pattern_types.each do |pattern_type| case pattern_type when 'front' results += wildcard_front(input_string) when 'back' results += wildcard_back(input_string) when 'both' results += wildcard_front_back(input_string) else raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both" end end results + ['*'] end