Improved isCrossAccount condition

lionel-faber · Mar 3, 2020 · 18b633a · 18b633a
1 parent f1d1949
commit 18b633a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/ScoutSuite/core/conditions.py b/ScoutSuite/core/conditions.py
@@ -235,6 +235,8 @@ def pass_condition(b, test, a):
         if type(b) != list:
             b = [b]
         for c in b:
+            if type(c) == dict and 'AWS' in c:
+                c = c['AWS']
             if c != a and not re.match(r'arn:aws:iam:.*?:%s:.*' % a, c):
                 result = True
                 break

diff --git a/tests/test-utils-conditions.py b/tests/test-utils-conditions.py
@@ -190,6 +190,12 @@ def test_pass_condition(self):
         assert pass_condition('123456789012', 'isCrossAccount', '123456789013') == True
         assert pass_condition(['123456789013', '123456789012'], 'isCrossAccount', '123456789013') == True
         assert pass_condition('arn:aws:iam::123456789012:root', 'isCrossAccount', '123456789013') == True
+        assert pass_condition({'AWS': 'arn:aws:iam::123456789012:root'}, 'isCrossAccount', '123456789013')
+        assert pass_condition(
+            [{'AWS': 'arn:aws:iam::123456789013:root'}, {'AWS': 'arn:aws:iam::123456789012:root'}],
+            'isCrossAccount',
+            '123456789013'
+        )
 
         try:
             pass_condition('foo', 'bar', 'baz')