azure-appservice-ftp-deployment-disabled: Azure App Service Plain FTP Deployment Disabled

id: azure-appservice-ftp-deployment-disabled
info:
  name: Azure App Service Plain FTP Deployment Disabled
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Microsoft Azure App Services web applications are not configured to be deployed over plain FTP. Instead, the deployment can be disabled over FTP or performed over FTPS. FTPS (Secure FTP) is used to enhance security for your Azure web application as it adds an extra layer of security to the FTP protocol, and helps you to comply with industry standards and regulations.
  impact: |
    Using plain FTP for deployment could expose sensitive data to interception. Enabling FTPS or disabling FTP deployment ensures compliance with security best practices and regulations.
  remediation: |
    Configure the Azure App Services to disable FTP deployment or to use FTPS, ensuring encrypted and secure file transfers.
  reference:
    - https://docs.microsoft.com/en-us/azure/app-service/deploy-ftp
  tags: cloud,devops,azure,microsoft,appservice,azure-cloud-config

flow: |
  code(1);
  for (let WebAppId of iterate(template.webAppIds)) {
    set("ids", WebAppId);
    code(2);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      az webapp list --output json --query '[*].id'

    extractors:
      - type: json
        name: webAppIds
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      az webapp config show --ids $ids --output json --query 'ftpsState'

    matchers:
      - type: word
        words:
          - "AllAllowed"

    extractors:
      - type: dsl
        dsl:
          - 'ids + " has FTP deployment enabled, which is not secure"'
# digest: 490a0046304402201b0c5ab994bd0df15ea234a8ef2db2f989554b62757ab363f44040ac8361dfcc02206936ff2d8b100ab6749db8e46c398b018fb23e5f8937790e429a880ac3bca3b2:922c64590222798bb761d5b6d8e72950