Security group ports check fails to determine private IP addresses

Question

Security group ports check fails to determine private IP addresses

Closed this issue 7 years ago · 0 comments

harti2006 commented 8 years ago

Expected behavior

UNSECURED_PUBLIC_ENDPOINT (errorMessage: "Unsecured security group! Only ports 80 and 443 are allowed") should be ignored if the IP range only includes private IP addresses.

Currently private IPs are only recognized when they start with "172.31", which is insufficient. E.g. a rule that allows inbound from "172.16.0.0/12" was false-positively reported as unsecured public endpoint.

Step needed

https://github.com/zalando-stups/fullstop/blob/master/fullstop-jobs/src/main/java/org/zalando/stups/fullstop/jobs/utils/Predicates.java needs to be changed to properly detect rules that only apply to private IPs and exclude them