String comparisons fail to handle Intrinsic functions
See original GitHub issueWe are experience synthesis failure due to an unhandled error during from the NIST SP 800-53 checks; however, this code seems to be partially duplicated between HIPAA and AWS Solutions as well. Specifically, it looks like our VPC stack currently is the source of the issue and the underlying error is from src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts
:
/home/klaker/Documents/ccpo/atat-web-api/node_modules/cdk-nag/src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts:22
resolvedRule.cidrIp.includes('/0')) ||
^
TypeError: resolvedRule.cidrIp.includes is not a function
at Object.default_1 (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/rules/ec2/nist80053EC2CheckSSHRestricted.ts:22:33)
at NIST80053Checks.checkEC2 (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/nist-800-53.ts:399:8)
at NIST80053Checks.visit (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/cdk-nag/src/NIST-800-53/nist-800-53.ts:102:12)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:110:14)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at recurse (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:125:9)
at invokeAspects (/home/klaker/Documents/ccpo/atat-web-api/infrastructure/node_modules/@aws-cdk/core/lib/private/synthesis.ts:95:3)
This seems to be because in this case resolvedRule.cidrIp
is an object (not a string), with the value { Fn::GetAtt: [ "VpcLogicalId", "CidrBlock" ] }
. Without cdk-nag, the stack synthesizes and deploys without issue; however the relevant snippet from the template seems to be the following; if I just add a console.log
in to print resolvedRule.cidrIp
, the value of CidrIp
seen below is what gets printed.
"SecurityGroupIngress": [
{
"CidrIp": {
"Fn::GetAtt": [
"AtatVpc28460212",
"CidrBlock"
]
},
"Description": {
"Fn::Join": [
"",
[
"from ",
{
"Fn::GetAtt": [
"AtatVpc28460212",
"CidrBlock"
]
},
":443"
]
]
},
"FromPort": 443,
"IpProtocol": "tcp",
"ToPort": 443
}
],
This was encountered with cdg-nag v0.0.114 as well as 0.0.98 and with CDK v1.124.0 and v1.125.0.
The full output of synthesis (without running cdk-nag) is available as a workflow artifact at https://github.com/dod-ccpo/atat-web-api/suites/3921230865/artifacts/98054835. The workflow run with the error during synthesis is available at https://github.com/dod-ccpo/atat-web-api/runs/3757681913?check_suite_focus=true#step:9:83.
If there’s information that’d be useful that I didn’t include, I am happy to do so. This library has been super helpful to start building towards compliance with best practices early on!
Issue Analytics
- State:
- Created 2 years ago
- Comments:5
Top GitHub Comments
That took care of it for us! Thanks for quick fix!
I’m leaning toward something relating to the latter since equality comparisons can occur with other types like integers as well