From a65610390b6abdbcdc49da7c9992e8dcd3e75788 Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Thu, 25 Jan 2024 20:26:49 -0500 Subject: [PATCH 1/5] Bumped to version 1.31.1 before PR --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 024d028..7e5f909 100644 --- a/main.go +++ b/main.go @@ -10,7 +10,7 @@ import ( var ( rootCmd = &cobra.Command{ Use: os.Args[0], - Version: "1.13.1-prerelease", + Version: "1.13.1", } ) From b5908fc720bf38d3fe81b750cd03656f9e943fc8 Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:29:33 -0500 Subject: [PATCH 2/5] Fixed bug in the role trusts command introduced in 1.13.1 where cloudfox only shows princiapls with :root trust and not ALL role trusts --- aws/role-trusts.go | 45 ++++++++++++++++++++++----------------------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/aws/role-trusts.go b/aws/role-trusts.go index 8295077..493c529 100644 --- a/aws/role-trusts.go +++ b/aws/role-trusts.go @@ -241,33 +241,32 @@ func (m *RoleTrustsModule) printPrincipalTrusts(outputDirectory string) ([]strin for _, role := range m.AnalyzedRoles { for _, statement := range role.trustsDoc.Statement { for _, principal := range statement.Principal.AWS { - if strings.Contains(principal, ":root") { - //check to see if the accountID is known - accountID := strings.Split(principal, ":")[4] - vendorName := m.vendors.GetVendorNameFromAccountID(accountID) - if vendorName != "" { - principal = fmt.Sprintf("%s (%s)", principal, vendorName) - } + //check to see if the accountID is known + accountID := strings.Split(principal, ":")[4] + vendorName := m.vendors.GetVendorNameFromAccountID(accountID) + if vendorName != "" { + principal = fmt.Sprintf("%s (%s)", principal, vendorName) + } - RoleTrustRow := RoleTrustRow{ - RoleARN: aws.ToString(role.roleARN), - RoleName: GetResourceNameFromArn(aws.ToString(role.roleARN)), - TrustedPrincipal: principal, - ExternalID: statement.Condition.StringEquals.StsExternalID, - IsAdmin: role.Admin, - CanPrivEsc: role.CanPrivEsc, - } - body = append(body, []string{ - aws.ToString(m.Caller.Account), - RoleTrustRow.RoleARN, - RoleTrustRow.RoleName, - RoleTrustRow.TrustedPrincipal, - RoleTrustRow.ExternalID, - RoleTrustRow.IsAdmin, - RoleTrustRow.CanPrivEsc}) + RoleTrustRow := RoleTrustRow{ + RoleARN: aws.ToString(role.roleARN), + RoleName: GetResourceNameFromArn(aws.ToString(role.roleARN)), + TrustedPrincipal: principal, + ExternalID: statement.Condition.StringEquals.StsExternalID, + IsAdmin: role.Admin, + CanPrivEsc: role.CanPrivEsc, } + body = append(body, []string{ + aws.ToString(m.Caller.Account), + RoleTrustRow.RoleARN, + RoleTrustRow.RoleName, + RoleTrustRow.TrustedPrincipal, + RoleTrustRow.ExternalID, + RoleTrustRow.IsAdmin, + RoleTrustRow.CanPrivEsc}) } } + } m.sortTrustsTablePerTrustedPrincipal() From 18e38bf1ea139b1642be0f442d5904b66aa85c19 Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:42:37 -0500 Subject: [PATCH 3/5] Fixed bug in env-vars command introduced in 1.13.1 with the new interesting version of the table written to disk. was still recording them all. now the second table only has interesting env-vars --- aws/env-vars.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws/env-vars.go b/aws/env-vars.go index 08ce518..4a02ef3 100644 --- a/aws/env-vars.go +++ b/aws/env-vars.go @@ -836,7 +836,7 @@ func (m *EnvsModule) interestingEnvVarsOnly() [][]string { for _, envVar := range m.EnvironmentVariables { if envVar.interesting { interestingBody = append( - m.output.Body, []string{ + interestingBody, []string{ aws.ToString(m.Caller.Account), envVar.service, envVar.region, From 237b0735a8034d9d497b1cc0aa8bb232af1099ec Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Fri, 2 Feb 2024 13:45:41 -0500 Subject: [PATCH 4/5] Bumped version to 1.13.2 --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index 7e5f909..d2a39d3 100644 --- a/main.go +++ b/main.go @@ -10,7 +10,7 @@ import ( var ( rootCmd = &cobra.Command{ Use: os.Args[0], - Version: "1.13.1", + Version: "1.13.2", } ) From 1ca5dbfb10a4c9fc3e7f71560b118bc6341e02a5 Mon Sep 17 00:00:00 2001 From: sethsec-bf <46326948+sethsec-bf@users.noreply.github.com> Date: Thu, 8 Feb 2024 16:49:50 -0500 Subject: [PATCH 5/5] Fix bug in role-trusts command around new vendor lookup feature, enabled caching on apigateway commands --- aws/role-trusts.go | 10 ++++++---- aws/sdk/apigateway.go | 13 +++++++++---- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/aws/role-trusts.go b/aws/role-trusts.go index 493c529..968b9e3 100644 --- a/aws/role-trusts.go +++ b/aws/role-trusts.go @@ -242,10 +242,12 @@ func (m *RoleTrustsModule) printPrincipalTrusts(outputDirectory string) ([]strin for _, statement := range role.trustsDoc.Statement { for _, principal := range statement.Principal.AWS { //check to see if the accountID is known - accountID := strings.Split(principal, ":")[4] - vendorName := m.vendors.GetVendorNameFromAccountID(accountID) - if vendorName != "" { - principal = fmt.Sprintf("%s (%s)", principal, vendorName) + if strings.Contains(principal, "arn:aws:iam::") || strings.Contains(principal, "root") { + accountID := strings.Split(principal, ":")[4] + vendorName := m.vendors.GetVendorNameFromAccountID(accountID) + if vendorName != "" { + principal = fmt.Sprintf("%s (%s)", principal, vendorName) + } } RoleTrustRow := RoleTrustRow{ diff --git a/aws/sdk/apigateway.go b/aws/sdk/apigateway.go index 0bd4b14..0909bee 100644 --- a/aws/sdk/apigateway.go +++ b/aws/sdk/apigateway.go @@ -9,6 +9,7 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/apigateway" apiGatewayTypes "github.com/aws/aws-sdk-go-v2/service/apigateway/types" + "github.com/patrickmn/go-cache" ) type APIGatewayClientInterface interface { @@ -66,7 +67,7 @@ func CachedApiGatewayGetRestAPIs(client APIGatewayClientInterface, accountID str } PaginationControl = GetRestApis.Position } - + internal.Cache.Set(cacheKey, restAPIs, cache.DefaultExpiration) return restAPIs, nil } @@ -92,6 +93,7 @@ func CachedApiGatewayGetStages(client APIGatewayClientInterface, accountID strin return apigateway.GetStagesOutput{}, err } + internal.Cache.Set(cacheKey, GetStages, cache.DefaultExpiration) return *GetStages, err } @@ -129,7 +131,7 @@ func CachedApiGatewayGetResources(client APIGatewayClientInterface, accountID st } PaginationControl = GetResources.Position } - + internal.Cache.Set(cacheKey, resources, cache.DefaultExpiration) return resources, nil } @@ -166,7 +168,7 @@ func CachedApiGatewayGetDomainNames(client APIGatewayClientInterface, accountID } PaginationControl = GetDomainNames.Position } - + internal.Cache.Set(cacheKey, domainNames, cache.DefaultExpiration) return domainNames, nil } @@ -204,7 +206,7 @@ func CachedApiGatewayGetBasePathMappings(client APIGatewayClientInterface, accou } PaginationControl = GetBasePathMappings.Position } - + internal.Cache.Set(cacheKey, basePathMappings, cache.DefaultExpiration) return basePathMappings, nil } @@ -233,6 +235,7 @@ func CachedApiGatewayGetMethod(client APIGatewayClientInterface, accountID strin return apigateway.GetMethodOutput{}, err } + internal.Cache.Set(cacheKey, GetMethod, cache.DefaultExpiration) return *GetMethod, nil } @@ -271,6 +274,7 @@ func CachedApiGatewayGetUsagePlans(client APIGatewayClientInterface, accountID s PaginationControl = GetUsagePlans.Position } + internal.Cache.Set(cacheKey, usagePlans, cache.DefaultExpiration) return usagePlans, nil } @@ -309,5 +313,6 @@ func CachedApiGatewayGetUsagePlanKeys(client APIGatewayClientInterface, accountI PaginationControl = GetUsagePlanKeys.Position } + internal.Cache.Set(cacheKey, usagePlanKeys, cache.DefaultExpiration) return usagePlanKeys, nil }