Bug: Policies with broad Deny statements are incorrectly interpreted as internet accessible
tweedge opened this issue · 0 comments
tweedge commented
Pulling an example from the AWS documentation for API Gateway resource policies here:
% cat test.py
from policyuniverse.policy import Policy
from json import loads
from pprint import pprint
json_policy = loads("""
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"execute-api:/*"
],
"Condition" : {
"StringNotEquals": {
"aws:SourceVpc": "vpc-1a2b3c4d"
}
}
}
]
}
""")
pu_policy = Policy(json_policy)
pprint(pu_policy.is_internet_accessible())
% python3 test.py
True
This is because Policy Universe interprets each statement's internet accessibility separately, marking the policy as internet accessible if any statement individually appears internet accessible, and does not include logic for explicit Deny statements taking precedence over Allow statements.
I'm investigating some options for fixing this though unfortunately, seems a bit of a lift. Will create a PR if I come up with something clean!