Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: S3 ACL analysis rule for WRITE permissions never triggers #1244

Merged
merged 4 commits into from
Sep 22, 2023
Merged

Fix: S3 ACL analysis rule for WRITE permissions never triggers #1244

merged 4 commits into from
Sep 22, 2023

Conversation

achantavy
Copy link
Contributor

@achantavy achantavy commented Sep 20, 2023
edited
Loading

#1128 + tests. See that original PR for full context.

Reviewer notes: the main change is here: 13feb15. Everything else is tests to make sure the analysis job works.

@achantavy achantavy mentioned this pull request Sep 20, 2023
Closed
@achantavy achantavy force-pushed the patch-1 branch 2 times, most recently from a850c13 to 7c604ed Compare September 20, 2023 20:59
jhecking and others added 4 commits September 21, 2023 11:09
@jhecking
Fix S3 ACL analysis rules
0d2b73e 
`acl.uri` and `acl.granteeid` are mutually exclusive as per https://github.com/lyft/cartography/blob/f613c32959f4bbdab53f83b2a03532c62e180e8d/cartography/intel/aws/s3.py#L554-L578. So the "WRITE" rule would never trigger. And as these rules are all about detecting _anonymous_ access permissions, there shouldn't be any clauses checking that the grantee is the owner. And as per AWS' documentation, the `WRITE` permission allows the `s3:PutObject` action, so that should be added to `anonymous_actions`. (`s3:DeleteObjectVersion` is only ever granted to bucket owners.)

For the "READ_ACP" rule the granted anonymous actions are incorrect.
Fix incorrect typehint
7edff9b
Lint
cba4351
Add test for S3 ACL analysis
384d8d2
ramonpetgrave64
ramonpetgrave64 approved these changes Sep 22, 2023
View reviewed changes
tests/integration/cartography/intel/aws/test_s3_acls.py
}

# Assert that we properly set anonymous_actions on the S3Bucket based on the attached S3Acls
# (Can't use check_nodes() here because anonymous_actions is a list and is non-hashable.)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocker: A few weeks ago we had a _check_nodes_as_list in the semgrep test. We could refactor it into tests.integraton.util
https://github.com/lyft/cartography/blob/ef5cbcede534d91df74d2e497cc2958ae548271e/tests/integration/cartography/intel/semgrep/test_findings.py#L19

@achantavy achantavy merged commit dba2f65 into master Sep 22, 2023
@achantavy achantavy deleted the patch-1 branch September 22, 2023 21:47
chandanchowdhury pushed a commit to juju4/cartography that referenced this pull request Jun 26, 2024
@jhecking @chandan-cl
Fix: S3 ACL analysis rule for WRITE permissions never triggers (carto…
71d0f8c 
…graphy-cncf#1244)

cartography-cncf#1128 + tests. See that original
PR for full context.

Reviewer notes: the main change is here:
cartography-cncf@13feb15.
Everything else is tests to make sure the analysis job works.

---------

Co-authored-by: Jan Hecking <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ramonpetgrave64 ramonpetgrave64 ramonpetgrave64 approved these changes

@jychp jychp Awaiting requested review from jychp

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@achantavy @ramonpetgrave64 @jhecking