fix(route53_dangling_ip_subdomain_takeover): notify only IPs with AWS IP Ranges (#2396)

2026-02-10 23:05:05 +00:00 · 2023-05-23 16:35:13 +02:00
parent 9e9e7e1e96
commit deb9847e2b
4 changed files with 84 additions and 4 deletions
--- a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py
+++ b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py
@@ -164,7 +164,7 @@ class Test_route53_dangling_ip_subdomain_takeover:

    @mock_ec2
    @mock_route53
-    def test_hosted_zone_dangling_public_record(self):
+    def test_hosted_zone_external_record(self):
        conn = client("route53", region_name=AWS_REGION)

        zone_id = conn.create_hosted_zone(
@@ -191,6 +191,67 @@ class Test_route53_dangling_ip_subdomain_takeover:

        audit_info = self.set_mocked_audit_info()

+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=audit_info,
+        ):
+            with mock.patch(
+                "prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover.route53_client",
+                new=Route53(audit_info),
+            ):
+                with mock.patch(
+                    "prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover.ec2_client",
+                    new=EC2(audit_info),
+                ):
+                    # Test Check
+                    from prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover import (
+                        route53_dangling_ip_subdomain_takeover,
+                    )
+
+                    check = route53_dangling_ip_subdomain_takeover()
+                    result = check.execute()
+
+                    assert len(result) == 1
+                    assert result[0].status == "PASS"
+                    assert search(
+                        "does not belong to AWS and it is not a dangling IP",
+                        result[0].status_extended,
+                    )
+                    assert result[0].resource_id == zone_id.replace("/hostedzone/", "")
+                    assert (
+                        result[0].resource_arn
+                        == f"arn:{audit_info.audited_partition}:route53:::{zone_id.replace('/hostedzone/','')}"
+                    )
+
+    @mock_ec2
+    @mock_route53
+    def test_hosted_zone_dangling_public_record(self):
+        conn = client("route53", region_name=AWS_REGION)
+
+        zone_id = conn.create_hosted_zone(
+            Name="testdns.aws.com.", CallerReference=str(hash("foo"))
+        )["HostedZone"]["Id"]
+
+        conn.change_resource_record_sets(
+            HostedZoneId=zone_id,
+            ChangeBatch={
+                "Changes": [
+                    {
+                        "Action": "CREATE",
+                        "ResourceRecordSet": {
+                            "Name": "foo.bar.testdns.aws.com",
+                            "Type": "A",
+                            "ResourceRecords": [{"Value": "54.152.12.70"}],
+                        },
+                    }
+                ]
+            },
+        )
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+        from prowler.providers.aws.services.route53.route53_service import Route53
+
+        audit_info = self.set_mocked_audit_info()
+
        with mock.patch(
            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
            new=audit_info,