ghndrx/prowler
1
0
Fork 0
mirror of https://github.com/ghndrx/prowler.git synced 2026-02-10 14:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(s3 bucket input validation): validates input bucket (#3198)

Browse Source
This commit is contained in:
Nacho Rivera
2023-12-15 13:37:41 +01:00
committed by GitHub
parent fdeb523581
commit c8831f0f50
2 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
prowler/providers/aws/lib/arguments/arguments.py
View File

@@ -1,4 +1,5 @@
from argparse import ArgumentTypeError, Namespace from argparse import ArgumentTypeError, Namespace
from re import search
from prowler.providers.aws.aws_provider import get_aws_available_regions from prowler.providers.aws.aws_provider import get_aws_available_regions
from prowler.providers.aws.lib.arn.arn import arn_type from prowler.providers.aws.lib.arn.arn import arn_type
@@ -104,6 +105,7 @@ def init_parser(self):
"-B", "-B",
"--output-bucket", "--output-bucket",
nargs="?", nargs="?",
type=validate_bucket,
default=None, default=None,
help="Custom output bucket, requires -M <mode> and it can work also with -o flag.", help="Custom output bucket, requires -M <mode> and it can work also with -o flag.",
) )
@@ -111,6 +113,7 @@ def init_parser(self):
"-D", "-D",
"--output-bucket-no-assume", "--output-bucket-no-assume",
nargs="?", nargs="?",
type=validate_bucket,
default=None, default=None,
help="Same as -B but do not use the assumed role credentials to put objects to the bucket, instead uses the initial credentials.", help="Same as -B but do not use the assumed role credentials to put objects to the bucket, instead uses the initial credentials.",
) )
@@ -190,3 +193,13 @@ def validate_arguments(arguments: Namespace) -> tuple[bool, str]:
return (False, "To use -I/-T options -R option is needed") return (False, "To use -I/-T options -R option is needed")
return (True, "") return (True, "")
def validate_bucket(bucket_name):
"""validate_bucket validates that the input bucket_name is valid"""
if search("(?!(^xn--|.+-s3alias$))^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$", bucket_name):
return bucket_name
else:
raise ArgumentTypeError(
"Bucket name must be valid (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html)"
)

26
tests/lib/cli/parser_test.py
View File

@@ -5,6 +5,7 @@ import pytest
from mock import patch from mock import patch
from prowler.lib.cli.parser import ProwlerArgumentParser from prowler.lib.cli.parser import ProwlerArgumentParser
from prowler.providers.aws.lib.arguments.arguments import validate_bucket
from prowler.providers.azure.lib.arguments.arguments import validate_azure_region from prowler.providers.azure.lib.arguments.arguments import validate_azure_region
prowler_command = "prowler" prowler_command = "prowler"
@@ -1138,3 +1139,28 @@ class Test_Parser:
match=f"Region {invalid_region} not allowed, allowed regions are {' '.join(expected_regions)}", match=f"Region {invalid_region} not allowed, allowed regions are {' '.join(expected_regions)}",
): ):
validate_azure_region(invalid_region) validate_azure_region(invalid_region)
def test_validate_bucket_invalid_bucket_names(self):
bad_bucket_names = [
"xn--bucket-name",
"mrryadfpcwlscicvnrchmtmyhwrvzkgfgdxnlnvaaummnywciixnzvycnzmhhpwb",
"192.168.5.4",
"bucket-name-s3alias",
"bucket-name-s3alias-",
"bucket-n$ame",
"bu",
]
for bucket_name in bad_bucket_names:
with pytest.raises(ArgumentTypeError) as argument_error:
validate_bucket(bucket_name)
assert argument_error.type == ArgumentTypeError
assert (
argument_error.value.args[0]
== "Bucket name must be valid (https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html)"
)
def test_validate_bucket_valid_bucket_names(self):
valid_bucket_names = ["bucket-name" "test" "test-test-test"]
for bucket_name in valid_bucket_names:
assert validate_bucket(bucket_name) == bucket_name