You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the example security ingress/egress rules, the only CIDR range that will flag as "open to the world" is the exact string of 0.0.0.0/0. For example, 1.0.0.0/0 is also open to the world, but if I process my template where that's the ingress CIDR, I see:
I am pretty sure if you change the ingress test case to 1.0.0.0/0 it will pass the test when it should fail. EC2/VPC are perfectly happy to accept that as a CIDR, because it is valid syntactically. They will create an ingress CIDR range that, when you do describe-security-groups will show as 0.0.0.0/0.
The same is probably true for IPv6 CIDR ranges (I haven't tested) because it looks like string matching on ::0.
Expected behavior
If we must treat IPv4 CIDRs as strings, can we just match strings that end with /0? That would be be a wee bit more robust.
Ideally we should parse CIDRs as data structures, extract the netmask as an integer, and complain on small numbers like 8 or less.
The text was updated successfully, but these errors were encountered:
Describe the bug
In the example security ingress/egress rules, the only CIDR range that will flag as "open to the world" is the exact string of
0.0.0.0/0
. For example,1.0.0.0/0
is also open to the world, but if I process my template where that's the ingress CIDR, I see:To Reproduce
I am pretty sure if you change the ingress test case to
1.0.0.0/0
it will pass the test when it should fail. EC2/VPC are perfectly happy to accept that as a CIDR, because it is valid syntactically. They will create an ingress CIDR range that, when you dodescribe-security-groups
will show as0.0.0.0/0
.The same is probably true for IPv6 CIDR ranges (I haven't tested) because it looks like string matching on
::0
.Expected behavior
If we must treat IPv4 CIDRs as strings, can we just match strings that end with
/0
? That would be be a wee bit more robust.Ideally we should parse CIDRs as data structures, extract the netmask as an integer, and complain on small numbers like
8
or less.The text was updated successfully, but these errors were encountered: