fix: AwsSolutions-APIG4 triggers for CORS preflight endpoints #1816
Conversation
|
I thinks it's better to keep the current implementation of the rule and add additional information on the description that it may not apply to pre-flight endpoints Instead of marking all While not ideal I'd rather users suppress false positives instead of opening up the rule for false negatives |
|
I'm alright with updating the description, but I would rather update the check as it is affecting a built-in feature of CDK. If all we are concerned about is false negatives, then could we take the other approach of matching the built-in CORS feature by matching against the |
|
Perhaps we could be a bit more generic and check the above |
|
I've just updated the check to match the If you still think it's better to leave it then I'm happy to revert and just change the description. However, I did try and come up with an exemption config which only exempts |
You can mark that specific case as NagRuleCompliance.NOT_APPLICABLE |
test/rules/APIGW.test.ts
Outdated
| @@ -193,7 +194,11 @@ describe('Amazon API Gateway', () => { | |||
| }); | |||
| validateStack(stack, ruleId, TestType.NON_COMPLIANCE); | |||
| }); | |||
| test('Compliance', () => { | |||
| test('Noncompliance 3', () => { | |||
| new RestApi(stack, 'rRestApi').root.addMethod('OPTIONS'); | |||
There was a problem hiding this comment.
Please remove the r prefix from the resource names. That's a legacy naming convention that I'd like to remove from the code base
There was a problem hiding this comment.
Done, I've just removed it from the tests within the describe block, let me know if you want it removed for the whole file.
|
Thanks for contributing! 🎉 |
Fixes #1815.
Currently this PR just marks all
OPTIONSmethods as compliant. I'm not sure the best way to narrow this down to specifically CORS preflight endpoints. We could try and match the template that CDK generates through itsaddCorsPreflightmethod, but that won't include any custom preflight endpoints which people may be using, and any changes to the CDK template may break our checks here.I took a look at the MDN docs for the
OPTIONSmethod, and it seems like it has limited use cases outside of CORS. Perhaps we can mark them all as compliant?Here is the CloudFormation CfnMethod template which CDK generates when using the following code:
{ "apiKeyRequired": false, "authorizationType": "NONE", "httpMethod": "OPTIONS", "integration": { "type": "MOCK", "requestTemplates": { "application/json": "{ statusCode: 200 }" }, "integrationResponses": [ { "statusCode": "204", "responseParameters": { "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'", "method.response.header.Access-Control-Allow-Origin": "'*'", "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'" } } ] }, "methodResponses": [ { "statusCode": "204", "responseParameters": { "method.response.header.Access-Control-Allow-Headers": true, "method.response.header.Access-Control-Allow-Origin": true, "method.response.header.Access-Control-Allow-Methods": true } } ], "resourceId": { "Fn::GetAtt": ["Test", "RootResourceId"] }, "restApiId": { "Ref": "Test" } }