-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix(extra771): jq fail when policy action is an array #1031
Conversation
Fix jq select condition to handle Action as string or as array. Add error handling. When fail, print policies as just one line.
It will also fix partial issues from #1019 It will not expose policy in multiple lines anymore. But it still needs to fix comma issue inside policy. |
$ echo '
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "rule0",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-abc123"
}
}
},
{
"Sid": "rule1",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
],
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-abc123"
}
}
},
{
"Sid": "rule2",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
]
},
{
"Sid": "rule3",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::xxxx",
"arn:aws:s3:::xxxx/*"
]
}
]
}' | jq --compact-output '.Statement[]|select(
.Effect=="Allow" and
(
( (.Principal|type == "object") and (.Principal.AWS == "*") ) or
( (.Principal|type == "string") and (.Principal == "*") )
) and
(
( (.Action|type == "string") and (.Action|startswith("s3:Put")) ) or
( (.Action|type == "string") and (.Action|startswith("s3:*")) ) or
( (.Action|type == "array") and (.Action[]|startswith("s3:Put")) ) or
( (.Action|type == "array") and (.Action[]|startswith("s3:*")) )
) and
.Condition == null)' | tr '\n' ' '
{"Sid":"rule2","Effect":"Allow","Principal":"*","Action":"s3:PutObject","Resource":["arn:aws:s3:::xxxx","arn:aws:s3:::xxxx/*"]} {"Sid":"rule3","Effect":"Allow","Principal":"*","Action":["s3:GetObject","s3:PutObject","s3:ListBucket"],"Resource":["arn:aws:s3:::xxxx","arn:aws:s3:::xxxx/*"]} |
@lazize when I test it with the suggested policy I get this error: |
@toniblyx Did you test the This is the output it returns me, one long string with violating policy. When we run prowler and ask it to generate CSV output, this json string with comma will break CSV result file. |
yeah, the command works fine for me, the check itself doesn't. This is part of the debug output
See the jq error there. |
Strange, the jq command you are running is the original one, not the one I changed. See it below. This is from your output above:
This is the command I pushed on this PR:
Note the difference between several OR conditions. |
OK, I get it now. I don't see the need to include the policy output to the check output. That could be removed or redacted as you suggest in line 57. |
Can you update this PR with the line |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @lazize, great work! |
Context
jq
filter was failing when policy Action was an array.Description
Fix jq select condition to handle Action as string or as array.
Add error handling.
When fail, print policies as just one line.
Fix issue #1026
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.