From d02bd9b717e075d34852df4ec4f866013f6dd84f Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Wed, 18 Jan 2023 17:45:51 +0100 Subject: [PATCH] fix(allowlist): remove re.escape (#1734) Co-authored-by: sergargar --- .../providers/aws/lib/allowlist/allowlist.py | 8 +- .../aws/lib/allowlist/allowlist_test.py | 74 ++++++++++++++++++- 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/prowler/providers/aws/lib/allowlist/allowlist.py b/prowler/providers/aws/lib/allowlist/allowlist.py index 8fed1c5e..9e36486f 100644 --- a/prowler/providers/aws/lib/allowlist/allowlist.py +++ b/prowler/providers/aws/lib/allowlist/allowlist.py @@ -114,13 +114,19 @@ def is_allowlisted_in_region(allowlist, audited_account, check, region, resource for elem in allowlist["Accounts"][audited_account]["Checks"][check][ "Resources" ]: - if re.search(re.escape(elem), resource): + # Check if it is an * + if elem == "*": + elem = ".*" + if re.search(elem, resource): return True # Check if there is the specific region if region in allowlist["Accounts"][audited_account]["Checks"][check]["Regions"]: for elem in allowlist["Accounts"][audited_account]["Checks"][check][ "Resources" ]: + # Check if it is an * + if elem == "*": + elem = ".*" if re.search(elem, resource): return True except Exception as error: diff --git a/tests/providers/aws/lib/allowlist/allowlist_test.py b/tests/providers/aws/lib/allowlist/allowlist_test.py index 7c79e1a6..9555e718 100644 --- a/tests/providers/aws/lib/allowlist/allowlist_test.py +++ b/tests/providers/aws/lib/allowlist/allowlist_test.py @@ -109,7 +109,79 @@ class Test_Allowlist: "Checks": { "check_test": { "Regions": ["us-east-1", "eu-west-1"], - "Resources": ["prowler", "^test"], + "Resources": ["prowler", "^test", "prowler-pro"], + } + } + } + } + } + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler" + ) + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test" + ) + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler" + ) + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-pro-test" + ) + + assert not ( + is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test" + ) + ) + + def test_is_allowlisted_wildcard(self): + + # Allowlist example + allowlist = { + "Accounts": { + "*": { + "Checks": { + "check_test": { + "Regions": ["us-east-1", "eu-west-1"], + "Resources": [".*"], + } + } + } + } + } + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler" + ) + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "prowler-test" + ) + + assert is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", AWS_REGION, "test-prowler" + ) + + assert not ( + is_allowlisted( + allowlist, AWS_ACCOUNT_NUMBER, "check_test", "us-east-2", "test" + ) + ) + + def test_is_allowlisted_asterisk(self): + + # Allowlist example + allowlist = { + "Accounts": { + "*": { + "Checks": { + "check_test": { + "Regions": ["us-east-1", "eu-west-1"], + "Resources": ["*"], } } }