search

Azure / arm-ttk

Azure Resource Manager Template Toolkit
https://aka.ms/arm-ttk
MIT License
441 stars 188 forks source link

arm-ttk does not flag default passwords #770

Open raouche opened 7 months ago

raouche commented 7 months ago

arm-ttk version: 0.24 Scenarios:

  1. A PasswordBox control has its defaultValue set to a certain value.
  2. A CredentialsCombo (Windows or Linux) control has its defaultValue.password set to a certain value.

Problem: arm-ttk does not flag the default password scenarios like it does with the UserNameTextBox even though the default password instances are far more dangerous than the default username.

Sample CUID:

{
  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
  "handler": "Microsoft.Azure.CreateUIDef",
  "version": "0.1.2-preview",
  "parameters": {
    "basics": [
      {
        "constraints": {
          "regex": "^[a-zA-Z0-9]{12,}$",
          "validationMessage": "Password must be at least 12 characters long, contain only numbers and letters."
        },
        "defaultValue": "ThisIsADefaultPAssword",
        "label": {
          "confirmPassword": "Confirm password",
          "password": "Password"
        },
        "name": "PasswordBox1",
        "toolTip": "Enter a value.",
        "type": "Microsoft.Common.PasswordBox"
      },
      {
        "defaultValue": {
          "authenticationType": "password",
          "password": "!ThisIsALinuxDefaultPassword1"
        },
        "label": {
          "authenticationType": "Authentication type",
          "confirmPassword": "Confirm password",
          "exisitingKeyDropdown": "Stored Keys",
          "keyPairName": "Key pair name",
          "password": "Password",
          "sshKeySourceDropdown": "SSH public key source",
          "sshPublicKey": "SSH Public Key"
        },
        "name": "CredentialsComboLinux1",
        "osPlatform": "Linux",
        "toolTip": {
          "authenticationType": "Select authentication type.",
          "password": "Enter password.",
          "sshPublicKey": "Specify SSH Public Key."
        },
        "type": "Microsoft.Compute.CredentialsCombo"
      },
      {
        "defaultValue": {
          "password": "!ThisIsAWindowsDefaultPassword1"
        },
        "label": {
          "confirmPassword": "Confirm password",
          "password": "Password"
        },
        "name": "CredentialsComboWindows1",
        "osPlatform": "Windows",
        "toolTip": {
          "password": "Enter password."
        },
        "type": "Microsoft.Compute.CredentialsCombo"
      }
    ],
    "steps": [],
    "outputs": {
      "location": "[location()]",
      "Password1": "[basics('PasswordBox1')]",
      "Password2": "[basics('CredentialsComboLinux1').password]",
      "Password3": "[basics('CredentialsComboWindows1').password]"
    }
  },
  "metadata": {
    "_generator": {
      "name": "MaestroStudio",
      "sku": "Solo",
      "version": "0.9.0.0",
      "template": {
        "author": "StratusOn",
        "id": "EA622966-CE0C-46E7-841B-73C2E6ED5DEB",
        "description": "A blank Azure Marketplace Managed Application offer."
      }
    },
    "_sync": {
      "offer": {
        "displayName": "My Offer"
      },
      "plan": {
        "displayName": "Plan"
      }
    }
  }
}