ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: rename zone records checks and add docstrings

Browse Source
This commit is contained in:
HugoPBrito
2026-01-14 13:17:25 +01:00
parent a6860ffa7d
commit d693a34747
14 changed files with 216 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
prowler/providers/cloudflare/services/dns/dns_record_cname_target_valid/dns_record_cname_target_valid.py
View File

@@ -5,7 +5,26 @@ from prowler.providers.cloudflare.services.dns.dns_client import dns_client
class dns_record_cname_target_valid(Check):
"""Ensure that CNAME records point to valid, resolvable targets.
Dangling CNAME records that point to non-existent or unresolvable targets pose
a significant security risk known as subdomain takeover. Attackers can claim
the orphaned target resource and serve malicious content under your domain,
potentially leading to phishing attacks, cookie theft, and reputation damage.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the CNAME target validation check.
Iterates through all CNAME DNS records and attempts to resolve their
targets using DNS lookup. Records pointing to unresolvable targets
are flagged as potential subdomain takeover risks.
Returns:
A list of CheckReportCloudflare objects with PASS status if the
CNAME target resolves successfully, or FAIL status if the target
cannot be resolved (dangling CNAME).
"""
findings = []
for record in dns_client.records:

20
prowler/providers/cloudflare/services/dns/dns_record_no_internal_ip/dns_record_no_internal_ip.py
View File

@@ -5,7 +5,27 @@ from prowler.providers.cloudflare.services.dns.dns_client import dns_client
class dns_record_no_internal_ip(Check):
"""Ensure that DNS records do not expose internal or private IP addresses.
Public DNS records should only contain publicly routable IP addresses.
Exposing internal, private, loopback, or link-local addresses in DNS records
can leak information about internal network infrastructure, potentially
aiding attackers in reconnaissance and targeted attacks against internal
systems.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the internal IP address exposure check.
Iterates through all A and AAAA DNS records and checks if they contain
private, loopback, link-local, or reserved IP addresses that should not
be exposed publicly.
Returns:
A list of CheckReportCloudflare objects with PASS status if the
record points to a public IP address, or FAIL status if it exposes
an internal IP address.
"""
findings = []
for record in dns_client.records:

19
prowler/providers/cloudflare/services/dns/dns_record_no_wildcard/dns_record_no_wildcard.py
View File

@@ -3,7 +3,26 @@ from prowler.providers.cloudflare.services.dns.dns_client import dns_client
class dns_record_no_wildcard(Check):
"""Ensure that wildcard DNS records are not configured for the zone.
Wildcard DNS records (*.domain.com) match any subdomain that doesn't have
an explicit record, which can unintentionally expose services or create
security risks. Attackers may discover hidden services, and wildcard
certificates combined with wildcard DNS can increase the attack surface
for subdomain takeover vulnerabilities.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the wildcard DNS record check.
Iterates through all A, AAAA, and CNAME DNS records and identifies
those configured as wildcard records (starting with *.). Wildcard
records may expose unintended services.
Returns:
A list of CheckReportCloudflare objects with PASS status if the
record is not a wildcard, or FAIL status if it is a wildcard record.
"""
findings = []
for record in dns_client.records:

20
prowler/providers/cloudflare/services/dns/dns_record_proxied/dns_record_proxied.py
View File

@@ -5,7 +5,27 @@ PROXYABLE_TYPES = {"A", "AAAA", "CNAME"}
class dns_record_proxied(Check):
"""Ensure that DNS records are proxied through Cloudflare.
Proxying DNS records through Cloudflare hides the origin server's IP address
and provides DDoS protection, WAF capabilities, and performance optimizations.
Non-proxied (DNS-only) records expose the origin IP directly, bypassing
Cloudflare's security features and making the origin vulnerable to direct
attacks.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the DNS record proxy status check.
Iterates through all proxyable DNS records (A, AAAA, CNAME) and verifies
that they are configured to be proxied through Cloudflare. Non-proxied
records bypass Cloudflare's security and performance features.
Returns:
A list of CheckReportCloudflare objects with PASS status if the
record is proxied through Cloudflare, or FAIL status if it is
DNS-only (not proxied).
"""
findings = []
for record in dns_client.records:

0
prowler/providers/cloudflare/services/zones/zones_firewall_blocking_rules_configured/__init__.py → prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py
View File

8
prowler/providers/cloudflare/services/zones/zones_firewall_blocking_rules_configured/zones_firewall_blocking_rules_configured.metadata.json → prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.metadata.json
View File

@@ -1,9 +1,9 @@
{
"Provider": "cloudflare",
"CheckID": "zones_firewall_blocking_rules_configured",
"CheckTitle": "Firewall rules use blocking actions to protect against threats",
"CheckID": "zone_firewall_blocking_rules_configured",
"CheckTitle": "Cloudflare Zone Firewall Rules Use Blocking Actions to Protect Against Threats",
"CheckType": [],
"ServiceName": "zones",
"ServiceName": "zone",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "medium",
@@ -23,7 +23,7 @@
},
"Recommendation": {
"Text": "Configure **firewall rules** with blocking actions to enforce security policies.\n- Use challenge actions for suspicious traffic to verify human visitors\n- Use block actions for known malicious patterns and high-risk sources\n- Test rules in log mode before enabling blocking to avoid false positives\n- Follow the principle of least privilege in rule configuration",
"Url": "https://hub.prowler.com/checks/cloudflare/zones_firewall_blocking_rules_configured"
"Url": "https://hub.prowler.com/checks/cloudflare/zone_firewall_blocking_rules_configured"
}
},
"Categories": [

24
prowler/providers/cloudflare/services/zones/zones_firewall_blocking_rules_configured/zones_firewall_blocking_rules_configured.py → prowler/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured.py
View File

@@ -1,14 +1,32 @@
from prowler.lib.check.models import Check, CheckReportCloudflare
from prowler.providers.cloudflare.services.zones.zones_client import zones_client
from prowler.providers.cloudflare.services.zone.zone_client import zone_client
BLOCKING_ACTIONS = {"block", "challenge", "js_challenge", "managed_challenge"}
class zones_firewall_blocking_rules_configured(Check):
class zone_firewall_blocking_rules_configured(Check):
"""Ensure that firewall rules with blocking actions are configured for Cloudflare zones.
Firewall rules should use blocking actions (block, challenge, js_challenge,
managed_challenge) to actively protect against threats rather than only logging
traffic. Without blocking actions, malicious requests can reach the origin server
and potentially compromise the application's security.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the firewall blocking rules configured check.
Iterates through all Cloudflare zones and verifies that at least one
firewall rule exists with a blocking action. Blocking actions include
block, challenge, js_challenge, and managed_challenge.
Returns:
A list of CheckReportCloudflare objects with PASS status if blocking
rules are configured, or FAIL status if no blocking rules exist.
"""
findings = []
for zone in zones_client.zones.values():
for zone in zone_client.zones.values():
report = CheckReportCloudflare(
metadata=self.metadata(),
resource=zone,

0
prowler/providers/cloudflare/services/zones/zones_waf_owasp_ruleset_enabled/__init__.py → prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py
View File

8
prowler/providers/cloudflare/services/zones/zones_waf_owasp_ruleset_enabled/zones_waf_owasp_ruleset_enabled.metadata.json → prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.metadata.json
View File

@@ -1,9 +1,9 @@
{
"Provider": "cloudflare",
"CheckID": "zones_waf_owasp_ruleset_enabled",
"CheckTitle": "OWASP managed WAF rulesets are enabled for the zone",
"CheckID": "zone_waf_owasp_ruleset_enabled",
"CheckTitle": "Cloudflare Zone OWASP Managed WAF Rulesets Are Enabled",
"CheckType": [],
"ServiceName": "zones",
"ServiceName": "zone",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
@@ -23,7 +23,7 @@
},
"Recommendation": {
"Text": "Enable **OWASP Core Ruleset** managed rules as part of a defense in depth strategy.\n- Protects against OWASP Top 10 vulnerabilities including SQLi and XSS\n- Regularly review and tune rule sensitivity based on application requirements\n- Monitor WAF analytics to identify and address false positives\n- Combine with custom rules for application-specific protection",
"Url": "https://hub.prowler.com/checks/cloudflare/zones_waf_owasp_ruleset_enabled"
"Url": "https://hub.prowler.com/checks/cloudflare/zone_waf_owasp_ruleset_enabled"
}
},
"Categories": [

24
prowler/providers/cloudflare/services/zones/zones_waf_owasp_ruleset_enabled/zones_waf_owasp_ruleset_enabled.py → prowler/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled.py
View File

@@ -1,12 +1,30 @@
from prowler.lib.check.models import Check, CheckReportCloudflare
from prowler.providers.cloudflare.services.zones.zones_client import zones_client
from prowler.providers.cloudflare.services.zone.zone_client import zone_client
class zones_waf_owasp_ruleset_enabled(Check):
class zone_waf_owasp_ruleset_enabled(Check):
"""Ensure that OWASP managed WAF rulesets are enabled for Cloudflare zones.
The OWASP Core Ruleset provides protection against common web application
vulnerabilities including SQL injection, cross-site scripting (XSS), and other
OWASP Top 10 threats. These managed rulesets are essential for defense in depth
and protecting applications from well-known attack vectors.
"""
def execute(self) -> list[CheckReportCloudflare]:
"""Execute the OWASP WAF ruleset enabled check.
Iterates through all Cloudflare zones and verifies that OWASP managed
WAF rulesets are enabled. The check identifies OWASP rulesets by name
containing "owasp" or by the http_request_firewall_managed phase.
Returns:
A list of CheckReportCloudflare objects with PASS status if OWASP
rulesets are enabled, or FAIL status if no OWASP protection exists.
"""
findings = []
for zone in zones_client.zones.values():
for zone in zone_client.zones.values():
report = CheckReportCloudflare(
metadata=self.metadata(),
resource=zone,

0
tests/providers/cloudflare/services/zones/zones_firewall_blocking_rules_configured/__init__.py → tests/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/__init__.py
View File

88
tests/providers/cloudflare/services/zones/zones_firewall_blocking_rules_configured/zones_firewall_blocking_rules_configured_test.py → tests/providers/cloudflare/services/zone/zone_firewall_blocking_rules_configured/zone_firewall_blocking_rules_configured_test.py
View File

@@ -1,6 +1,6 @@
from unittest import mock
from prowler.providers.cloudflare.services.zones.zones_service import (
from prowler.providers.cloudflare.services.zone.zone_service import (
CloudflareFirewallRule,
CloudflareZone,
CloudflareZoneSettings,
@@ -12,10 +12,10 @@ from tests.providers.cloudflare.cloudflare_fixtures import (
)
class Test_zones_firewall_blocking_rules_configured:
class Test_zone_firewall_blocking_rules_configured:
def test_no_zones(self):
zones_client = mock.MagicMock
zones_client.zones = {}
zone_client = mock.MagicMock
zone_client.zones = {}
with (
mock.patch(
@@ -23,21 +23,21 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 0
def test_zone_with_blocking_rules(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -67,15 +67,15 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 1
assert result[0].resource_id == ZONE_ID
@@ -87,8 +87,8 @@ class Test_zones_firewall_blocking_rules_configured:
assert "2 rule(s)" in result[0].status_extended
def test_zone_without_blocking_rules(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -112,15 +112,15 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
@@ -130,8 +130,8 @@ class Test_zones_firewall_blocking_rules_configured:
)
def test_zone_with_no_firewall_rules(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -148,15 +148,15 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
@@ -166,8 +166,8 @@ class Test_zones_firewall_blocking_rules_configured:
)
def test_zone_with_js_challenge_rule(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -191,15 +191,15 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
@@ -208,8 +208,8 @@ class Test_zones_firewall_blocking_rules_configured:
)
def test_zone_with_managed_challenge_rule(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -233,15 +233,15 @@ class Test_zones_firewall_blocking_rules_configured:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_firewall_blocking_rules_configured.zones_firewall_blocking_rules_configured import (
zones_firewall_blocking_rules_configured,
from prowler.providers.cloudflare.services.zone.zone_firewall_blocking_rules_configured.zone_firewall_blocking_rules_configured import (
zone_firewall_blocking_rules_configured,
)
check = zones_firewall_blocking_rules_configured()
check = zone_firewall_blocking_rules_configured()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"

0
tests/providers/cloudflare/services/zones/zones_waf_owasp_ruleset_enabled/__init__.py → tests/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/__init__.py
View File

88
tests/providers/cloudflare/services/zones/zones_waf_owasp_ruleset_enabled/zones_waf_owasp_ruleset_enabled_test.py → tests/providers/cloudflare/services/zone/zone_waf_owasp_ruleset_enabled/zone_waf_owasp_ruleset_enabled_test.py
View File

@@ -1,6 +1,6 @@
from unittest import mock
from prowler.providers.cloudflare.services.zones.zones_service import (
from prowler.providers.cloudflare.services.zone.zone_service import (
CloudflareWAFRuleset,
CloudflareZone,
CloudflareZoneSettings,
@@ -12,10 +12,10 @@ from tests.providers.cloudflare.cloudflare_fixtures import (
)
class Test_zones_waf_owasp_ruleset_enabled:
class Test_zone_waf_owasp_ruleset_enabled:
def test_no_zones(self):
zones_client = mock.MagicMock
zones_client.zones = {}
zone_client = mock.MagicMock
zone_client.zones = {}
with (
mock.patch(
@@ -23,21 +23,21 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 0
def test_zone_with_owasp_ruleset_by_name(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -62,15 +62,15 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].resource_id == ZONE_ID
@@ -79,8 +79,8 @@ class Test_zones_waf_owasp_ruleset_enabled:
assert "has OWASP managed WAF ruleset enabled" in result[0].status_extended
def test_zone_with_managed_ruleset_by_phase(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -105,23 +105,23 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"
assert "has OWASP managed WAF ruleset enabled" in result[0].status_extended
def test_zone_without_owasp_ruleset(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -146,15 +146,15 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
@@ -164,8 +164,8 @@ class Test_zones_waf_owasp_ruleset_enabled:
)
def test_zone_with_no_waf_rulesets(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -182,15 +182,15 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "FAIL"
@@ -200,8 +200,8 @@ class Test_zones_waf_owasp_ruleset_enabled:
)
def test_zone_with_multiple_owasp_rulesets(self):
zones_client = mock.MagicMock
zones_client.zones = {
zone_client = mock.MagicMock
zone_client.zones = {
ZONE_ID: CloudflareZone(
id=ZONE_ID,
name=ZONE_NAME,
@@ -233,15 +233,15 @@ class Test_zones_waf_owasp_ruleset_enabled:
return_value=set_mocked_cloudflare_provider(),
),
mock.patch(
"prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled.zones_client",
new=zones_client,
"prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled.zone_client",
new=zone_client,
),
):
from prowler.providers.cloudflare.services.zones.zones_waf_owasp_ruleset_enabled.zones_waf_owasp_ruleset_enabled import (
zones_waf_owasp_ruleset_enabled,
from prowler.providers.cloudflare.services.zone.zone_waf_owasp_ruleset_enabled.zone_waf_owasp_ruleset_enabled import (
zone_waf_owasp_ruleset_enabled,
)
check = zones_waf_owasp_ruleset_enabled()
check = zone_waf_owasp_ruleset_enabled()
result = check.execute()
assert len(result) == 1
assert result[0].status == "PASS"