improve waf rules, ignore file extensions

aws-amplify · Feb 5, 2024 · 5a32e49 · 5a32e49
1 parent 686a390
commit 5a32e49
Showing 1 changed file with 54 additions and 31 deletions.
diff --git a/cdk/src/components/waf.ts b/cdk/src/components/waf.ts
@@ -100,37 +100,9 @@ export class WAF extends wafv2.CfnWebACL {
             sampledRequestsEnabled: true,
           },
         },
-        {
-          name: 'DenyRequestsForSqlFiles',
-          priority: 3,
-          action: {
-            block: {},
-          },
-          statement: {
-            byteMatchStatement: {
-              // if request ends in .sql
-              searchString: '.sql',
-              fieldToMatch: {
-                uriPath: {},
-              },
-              positionalConstraint: 'ENDS_WITH',
-              textTransformations: [
-                {
-                  priority: 0,
-                  type: 'NONE',
-                },
-              ],
-            },
-          },
-          visibilityConfig: {
-            cloudWatchMetricsEnabled: true,
-            metricName: 'MetricForWaf-DenyRequestsForSqlFiles',
-            sampledRequestsEnabled: true,
-          },
-        },
         {
           name: 'DenyRequestsToWpAdmin',
-          priority: 4,
+          priority: 3,
           action: {
             block: {},
           },
@@ -158,7 +130,7 @@ export class WAF extends wafv2.CfnWebACL {
         },
         {
           name: 'DenyRequestsToWpContent',
-          priority: 5,
+          priority: 4,
           action: {
             block: {},
           },
@@ -186,7 +158,7 @@ export class WAF extends wafv2.CfnWebACL {
         },
         {
           name: 'DenyRequestsForSwagger',
-          priority: 6,
+          priority: 5,
           action: {
             block: {},
           },
@@ -214,6 +186,23 @@ export class WAF extends wafv2.CfnWebACL {
         },
       ],
     })
+
+    this.ignoreFileExtension('.sql')
+    this.ignoreFileExtension('.zip')
+    this.ignoreFileExtension('.rar')
+    this.ignoreFileExtension('.axd')
+    this.ignoreFileExtension('.txt')
+    this.ignoreFileExtension('.md')
+    this.ignoreFileExtension('.yml')
+    this.ignoreFileExtension('.tar.gz')
+  }
+
+  private get nextPriority() {
+    const rules = this.rules as wafv2.CfnWebACL.RuleProperty[]
+    return rules.reduce((acc, curr) => {
+      if (acc > curr.priority) return acc
+      else return curr.priority + 1
+    }, 0)
   }
 
   public addAssociation(logicalId: string, resourceArn: string) {
@@ -222,4 +211,38 @@ export class WAF extends wafv2.CfnWebACL {
       webAclArn: this.attrArn,
     })
   }
+
+  public ignoreFileExtension(extension: `.${string}`) {
+    const display = extension.replace(/^\./, '')
+    const rules = this.rules as wafv2.CfnWebACL.RuleProperty[]
+
+    rules.push({
+      name: `DenyRequestsFor${display}Files`,
+      priority: this.nextPriority,
+      action: {
+        block: {},
+      },
+      statement: {
+        byteMatchStatement: {
+          // if request ends in .zip
+          searchString: extension,
+          fieldToMatch: {
+            uriPath: {},
+          },
+          positionalConstraint: 'ENDS_WITH',
+          textTransformations: [
+            {
+              priority: 0,
+              type: 'NONE',
+            },
+          ],
+        },
+      },
+      visibilityConfig: {
+        cloudWatchMetricsEnabled: true,
+        metricName: `MetricForWaf-DenyRequestsFor${display}Files`,
+        sampledRequestsEnabled: true,
+      }, 
+    })
+  }
 }