aquasecurity · mehakseedat63 · Feb 19, 2024 · Jan 26, 2024 · Jan 26, 2024 · Jan 26, 2024
diff --git a/exports.js b/exports.js
@@ -1010,6 +1010,7 @@ module.exports = {
         'agSslPolicy'                   : require(__dirname + '/plugins/azure/applicationGateway/agSslPolicy'),
         'agPreventionModeEnabled'       : require(__dirname + '/plugins/azure/applicationGateway/agPreventionModeEnabled.js'),        
         'agRequestBodyInspection'       : require(__dirname + '/plugins/azure/applicationGateway/agRequestBodyInspection'),
+        'agMaxRequestBodySize'          : require(__dirname + '/plugins/azure/applicationGateway/agMaxRequestBodySize.js'),
 
         'subscriptionHasTags'           : require(__dirname + '/plugins/azure/subscription/subscriptionHasTags.js'),
 

diff --git a/plugins/azure/applicationGateway/agMaxRequestBodySize.js b/plugins/azure/applicationGateway/agMaxRequestBodySize.js
@@ -0,0 +1,66 @@
+const async = require('async');
+const helpers = require('../../../helpers/azure');
+
+module.exports = {
+    title: 'Application Gateway Max Request Body',
+    category: 'Application Gateway',
+    domain: 'Network Access Control',
+    description: 'Ensures that Application Gateway WAF policy have desired request body size configured.',
+    more_info: 'Application Gateway WAF policy includes a maximum request body size field, specified in kilobytes. This setting controls the overall request size limit, excluding any file uploads. Configuring an appropriate value for this field is crucial for optimizing security and performance.',
+    recommended_action: 'Modify application gateway WAF policy, enable request body inspection and set the desired request body size.',
+    link: 'https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits',
+    apis: ['wafPolicies:listAll'],
+    settings: {
+        max_request_body_size: {
+            name: 'Max request body size',
+            description: 'The default value for request body size is 128.',
+            regex: '^(12[8-9]|1[3-9]{1,2}|2000)$',
+            default: '128',
+        },
+    },
+    run: function(cache, settings, callback) {
+        const results = [];
+        const source = {};
+        const locations = helpers.locations(settings.govcloud);
+        var config = {
+            max_request_body_size: settings.max_request_body_size || this.settings.max_request_body_size.default,
+        };
+
+        async.each(locations.wafPolicies, (location, rcb) => {
+
+            var wafPolicies = helpers.addSource(cache, source,
+                ['wafPolicies', 'listAll', location]);
+
+            if (!wafPolicies) return rcb();
+
+            if (wafPolicies.err || !wafPolicies.data) {
+                helpers.addResult(results, 3, 'Unable to query for Application Gateway WAF policies: ' + helpers.addError(wafPolicies), location);
+                return rcb();
+            }
+            if (!wafPolicies.data.length) {
+                helpers.addResult(results, 0, 'No existing WAF policies found', location);
+                return rcb();
+            }
+
+            for (let policy of wafPolicies.data) {
+                if (!policy.id) continue;
+                var maxRequestBodySize = config.max_request_body_size;
+                var bodyInspection = policy.policySettings && policy.policySettings.requestBodyCheck ? policy.policySettings.requestBodyCheck : false;
+                if (bodyInspection) {
+                    if (policy.policySettings && policy.policySettings.maxRequestBodySizeInKb && policy.policySettings.maxRequestBodySizeInKb >= maxRequestBodySize) {
+                        helpers.addResult(results, 0, `Application gateway WAF policy has max request body size of ${maxRequestBodySize}`, location, policy.id);
+                    } else {
+                        helpers.addResult(results, 2, `Application gateway WAF policy has max request body size of ${policy.policySettings.maxRequestBodySizeInKb} which is less than ${maxRequestBodySize}`, location, policy.id);
+                    }
+                } else {
+                    helpers.addResult(results, 0, 'Request Body Inspection is not enabled for WAF policy', location, policy.id);
+                }
+
+            }
+
+            rcb();
+        }, function() {
+            callback(null, results, source);
+        });
+    }
+};
diff --git a/plugins/azure/applicationGateway/agMaxRequestBodySize.spec.js b/plugins/azure/applicationGateway/agMaxRequestBodySize.spec.js
@@ -0,0 +1,134 @@
+var expect = require('chai').expect;
+var agMaxRequestBodySize = require('./agMaxRequestBodySize.js');
+
+const wafPolicy = [
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": { "key": "value" },
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": true,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": true,
+            "maxRequestBodySizeInKb": 128
+        }
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": {},
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": true,
+            "maxRequestBodySizeInKb": 200
+
+        }
+    },
+    {
+        "name": 'test-vnet',
+        "id": '/subscriptions/123/resourceGroups/aqua-resource-group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies',
+        "type": 'Microsoft.Network/waf',
+        "tags": {},
+        "location": 'eastus',
+        "provisioningState": 'Succeeded',
+        "virtualNetworkPeerings": [],
+        "enableDdosProtection": false,
+        "policySettings":{
+            "mode": "prevention",
+            "requestBodyCheck": false,
+            "maxRequestBodySizeInKb": 128
+
+        }
+    },
+];
+
+const createCache = (waf) => {
+    return {
+        wafPolicies: {
+            listAll: {
+                'eastus': {
+                    data: waf
+                }
+            }
+        }
+    };
+};
+
+const createErrorCache = () => {
+    return {
+        wafPolicies: {
+            listAll: {
+                'eastus': {}
+            }
+        }
+    };
+};
+
+describe('agMaxRequestBodySize', function() {
+    describe('run', function() {
+        it('should give passing result if no WAF policy found', function(done) {
+            const cache = createCache([]);
+            agMaxRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('No existing WAF policies found');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give unknown result if Unable to query for WAF policy', function(done) {
+            const cache = createErrorCache();
+            agMaxRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(3);
+                expect(results[0].message).to.include('Unable to query for Application Gateway WAF policies');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if Application gateway WAF policy does not have request body inspection enabled', function(done) {
+            const cache = createCache([wafPolicy[2]]);
+            agMaxRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Request Body Inspection is not enabled for WAF policy');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give passing result if Application gateway WAF policy has max request body size of 128 - without setting', function(done) {
+            const cache = createCache([wafPolicy[0]]);
+            agMaxRequestBodySize.run(cache, {}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(0);
+                expect(results[0].message).to.include('Application gateway WAF policy has max request body size of 128');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+        it('should give failing result if Application gateway WAF policy has max request body size less than 500 - with setting', function(done) {
+            const cache = createCache([wafPolicy[1]]);
+            agMaxRequestBodySize.run(cache, {max_request_body_size: 500}, (err, results) => {
+                expect(results.length).to.equal(1);
+                expect(results[0].status).to.equal(2);
+                expect(results[0].message).to.include('Application gateway WAF policy has max request body size of 200 which is less than 500');
+                expect(results[0].region).to.equal('eastus');
+                done();
+            });
+        });
+
+    });
+});