aquasecurity · mehakseedat63 · Feb 19, 2024 · Jan 26, 2024 · Jan 26, 2024 · Jan 26, 2024
diff --git a/exports.js b/exports.js
@@ -1010,6 +1010,7 @@ module.exports = {
         'agSslPolicy'                   : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'),
         'agPreventionModeEnabled'       : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'),        
         'agRequestBodyInspection'       : require(__dirname + '/plugins/azure/applicationGateway/agRequestBodyInspection'),
+        'agRequestBodySize'             : require(__dirname + '/plugins/azure/applicationGateway/agRequestBodySize.js'),
 
         'subscriptionHasTags'           : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'),
 

diff --git a/plugins/azure/applicationGateway/agRequestBodySize.js b/plugins/azure/applicationGateway/agRequestBodySize.js
@@ -0,0 +1,62 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Application Gateway Request Body Size',
+    category: 'Application Gateway',
+    domain: 'Network Access Control',
+    description: 'Ensures that Application Gateway WAF policy have desired request body size configured.',
+    more_info: 'Application Gateway WAF policy includes a maximum request body size field, specified in kilobytes. This setting controls the overall request size limit, excluding any file uploads. Configuring an appropriate value for this field is crucial for optimizing security and performance.',
+    recommended_action: 'Modify application gateway WAF policy and set the max body size to desired value.',
+    link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits',
+    apis: ['wafPolicies:listAll'],
+    settings: {
+        max_request_body_size: {
+            name: 'Max Request Body Size',
+            description: 'The default value for request body size is 128 KB. The setting checks for request body size and produces pass result if it is greater than or equal to the desired value.',
+            regex: '^(12[8-9]|1[3-9]{1,2}|2000)$',
+            default: '128',
+        },
+    },
+    realtime_triggers: ['microsoftnetwork:applicationgatewaywebapplicationfirewallpolicies:write', 'microsoftnetwork:applicationgatewaywebapplicationfirewallpolicies:delete'],
+
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+        var config = {
+            max_request_body_size: settings.max_request_body_size || this.settings.max_request_body_size.default,
+        };
+
+        async.each(locations.wafPolicies, (location, rcb) => {
+
+            var wafPolicies = helpers.addSource(cache, source,
+                ['wafPolicies', 'listAll', location]);
+
+            if (!wafPolicies) return rcb();
+
+            if (wafPolicies.err || !wafPolicies.data) {
+                helpers.addResult(results, 3, 'Unable to query for Application Gateway WAF policies: ' + helpers.addError(wafPolicies), location);
+                return rcb();
+            }
+            if (!wafPolicies.data.length) {
+                helpers.addResult(results, 0, 'No existing WAF policies found', location);
+                return rcb();
+            }
+
+            for (let policy of wafPolicies.data) {
+                if (!policy.id) continue;
+                var maxRequestBodySize = config.max_request_body_size;
+                if (policy.policySettings && policy.policySettings.maxRequestBodySizeInKb && policy.policySettings.maxRequestBodySizeInKb <= maxRequestBodySize) {
+                    helpers.addResult(results, 0, `Application gateway WAF policy has max request body size of ${policy.policySettings.maxRequestBodySizeInKb} which is less than or equal to ${maxRequestBodySize}`, location, policy.id);
+                } else {
+                    helpers.addResult(results, 2, `Application gateway WAF policy has max request body size of ${policy.policySettings.maxRequestBodySizeInKb} which is greater than ${maxRequestBodySize}`, location, policy.id);
+                }
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/applicationGateway/agRequestBodySize.spec.js b/plugins/azure/applicationGateway/agRequestBodySize.spec.js
@@ -0,0 +1,123 @@
+var expect = require('chai').expect;
+var agRequestBodySize = require('./agRequestBodySize.js');
+
+const wafPolicy = [
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": { "key": "value" },
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": true,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": true,
+            "maxRequestBodySizeInKb": 128
+        }
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": {},
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": true,
+            "maxRequestBodySizeInKb": 800
+
+        }
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": {},
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": false,
+            "maxRequestBodySizeInKb": 128
+
+        }
+    },
+];
+
+const createCache = (waf) => {
+    return {
+        wafPolicies: {
+            listAll: {
+                'eastus': {
+                    data: waf
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        wafPolicies: {
+            listAll: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('agRequestBodySize', function() {
+    describe('run', function() {
+        it('should give passing result if no WAF policy found', function(done) {
+            const cache = createCache([]);
+            agRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing WAF policies found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query for WAF policy', function(done) {
+            const cache = createErrorCache();
+            agRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Application Gateway WAF policies');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if Application gateway WAF policy has max request body size of 128 - without setting', function(done) {
+            const cache = createCache([wafPolicy[0]]);
+            agRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Application gateway WAF policy has max request body size of 128 which is less than or equal to 128');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if Application gateway WAF policy has max request body size greater than 500 - with setting', function(done) {
+            const cache = createCache([wafPolicy[1]]);
+            agRequestBodySize.run(cache, {max_request_body_size: 500}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Application gateway WAF policy has max request body size of 800 which is greater than 500');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+    });
+});