Merge pull request #22 from mxlint/new-rules-project-settings-security-bza

Author: xiwenc

rules/001_project_settings/001_0007_hash_algorithm.rego

@@ -0,0 +1,39 @@
+# METADATA
+# scope: package
+# title: Hash algorithm
+# description: Hashs algorithms BCrypt and SSHA256 are considered to be the safest for data encryption.
+# authors:
+# - Bart Zantingh <bart.zantingh@nl.abnamro.com>
+# related_resources:
+# - https://docs.mendix.com/refguide/security#hashing-algorithms
+# custom:
+#  category: Security
+#  rulename: HashAlgorithm
+#  severity: HIGH
+#  rulenumber: "001_0007"
+#  remediation: Set the app's hash algorithm (App Settings > Runtime) to BCrypt or SSHA256.
+#  input: "Settings$ProjectSettings.yaml"
+package app.mendix.project_settings.hash_algorithm
+
+import rego.v1
+
+annotation := rego.metadata.chain()[1].annotations
+
+default allow := false
+
+allow if count(errors) == 0
+
+errors contains error if {
+	not input.Settings.HashAlgorithm == "BCrypt"
+	not input.Settings.HashAlgorithm == "SSHA256"
+
+	error := sprintf(
+		"[%v, %v, %v] The application uses the %v hash algorithm, which is not recommended",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			input.Settings.HashAlgorithm,
+		],
+	)
+}

rules/001_project_settings/001_0007_hash_algorithm_test.rego

@@ -0,0 +1,36 @@
+package app.mendix.project_settings.hash_algorithm_test
+
+import data.app.mendix.project_settings.hash_algorithm
+import rego.v1
+
+# Test data
+bcrypt := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "BCrypt",
+}}
+
+ssha256 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "SSHA256",
+}}
+
+sha256 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "SHA256",
+}}
+
+md5 := {"Settings": {
+	"$Type": "Settings$ModelSettings",
+	"HashAlgorithm": "MD5",
+}}
+
+# Test cases
+test_should_allow_when_build_version_in_allowed_list if {
+	hash_algorithm.allow with input as bcrypt
+	hash_algorithm.allow with input as ssha256
+}
+
+test_should_deny_when_build_version_not_in_allowed_list if {
+	not hash_algorithm.allow with input as sha256
+	not hash_algorithm.allow with input as md5
+}

rules/001_project_settings/001_0008_check_security_on_user_roles.rego

@@ -0,0 +1,37 @@
+# METADATA
+# scope: package
+# title: Check security on user roles
+# description: Security should be checked for each user role, to make sure users can only access the minimum amount of data
+# authors:
+# - Bart Zantingh <bart.zantingh@nl.abnamro.com>
+# custom:
+#  category: Security
+#  rulename: CheckSecurityOnUserRoles
+#  severity: HIGH
+#  rulenumber: "001_0008"
+#  remediation: Check security for all user roles
+#  input: "Security$ProjectSecurity.yaml"
+package app.mendix.project_settings.check_security_on_user_roles
+
+import rego.v1
+
+annotation := rego.metadata.chain()[1].annotations
+
+default allow := false
+
+allow if count(errors) == 0
+
+errors contains error if {
+	some user_role in input.UserRoles
+	not user_role.CheckSecurity
+
+	error := sprintf(
+		"[%v, %v, %v] User role %v is not checked for security",
+		[
+			annotation.custom.severity,
+			annotation.custom.category,
+			annotation.custom.rulenumber,
+			user_role.Name,
+		],
+	)
+}

rules/001_project_settings/001_0008_check_security_on_user_roles_test.rego

@@ -0,0 +1,24 @@
+package app.mendix.project_settings.check_security_on_user_roles_test
+
+import data.app.mendix.project_settings.check_security_on_user_roles
+import rego.v1
+
+# Test data
+check_for_security := {"UserRoles": [{
+	"CheckSecurity": true,
+	"Name": "Administrator",
+}]}
+
+not_check_for_security := {"UserRoles": [{
+	"CheckSecurity": false,
+	"Name": "Administrator",
+}]}
+
+# Test cases
+test_should_allow_when_checking_user_roles_for_security if {
+	check_security_on_user_roles.allow with input as check_for_security
+}
+
+test_should_deny_when_not_checking_user_roles_for_security if {
+	not check_security_on_user_roles.allow with input as not_check_for_security
+}