AccessControl allows all IPs

Severity
Medium
Applies to
AccessControl
Links
CWE-290

Why This Issue Is Important

Allowing unrestricted access to your API based on IP rules can lead to unauthorized access and potential misuse of your services. By not setting the noRuleMatchAction to 'DENY', you leave the API endpoints exposed to all IP addresses, which can be exploited by malicious actors to gain access to sensitive information or resources.

How This Issue Is Detected

CodeSent examines the configuration of the AccessControl policy in your Apigee proxy. If the noRuleMatchAction is not set to 'DENY', it indicates that the policy is not properly restricting access, and a warning is raised.

How to Fix the Issue

To fix this issue, update the AccessControl policy in your Apigee proxy by setting the noRuleMatchAction attribute to 'DENY'. This change will ensure that any IP address not explicitly allowed by your IP rules will be denied access.

<AccessControl name="Access-Control-Policy">
    <IgnoreTrueClientIPHeader>true</IgnoreTrueClientIPHeader>
    <IPRules noRuleMatchAction="DENY">
        <!-- Define specific IP rules here -->
    </IPRules>
</AccessControl>