404

[ Avaa Bypassed ]




Upload:

Command:

botdev@18.222.178.70: ~ $
"""
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: MIT-0
"""
import regex as re

from cfnlint.rules import CloudFormationLintRule, RuleMatch


class HardCodedArnProperties(CloudFormationLintRule):
    """Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number"""

    id = "I3042"
    shortdesc = "ARNs should use correctly placed Pseudo Parameters"
    description = "Checks Resources if ARNs use correctly placed Pseudo Parameters instead of hardcoded Partition, Region, and Account Number"
    source_url = ""
    tags = ["resources"]
    regex = re.compile(
        r"arn:(\$\{[^:]*::[^:]*}|[^:]*):[^:]+:(\$\{[^:]*::[^:]*}|[^:]*):(\$\{[^:]*::[^:]*}|[^:]*)"
    )

    def __init__(self):
        """Init"""
        super().__init__()
        self.config_definition = {
            "partition": {
                "default": True,
                "type": "boolean",
            },
            "region": {
                "default": False,
                "type": "boolean",
            },
            "accountId": {
                "default": False,
                "type": "boolean",
            },
        }
        self.configure()

    def _match_values(self, cfnelem, path):
        """Recursively search for values matching the searchRegex"""
        values = []
        if isinstance(cfnelem, dict):
            for key in cfnelem:
                pathprop = path[:]
                pathprop.append(key)
                values.extend(self._match_values(cfnelem[key], pathprop))
        elif isinstance(cfnelem, list):
            for index, item in enumerate(cfnelem):
                pathprop = path[:]
                pathprop.append(index)
                values.extend(self._match_values(item, pathprop))
        else:
            # Leaf node
            if isinstance(cfnelem, str):  # and re.match(searchRegex, cfnelem):
                for variable in re.findall(self.regex, cfnelem):
                    if "Fn::Sub" in path:
                        values.append(path + [variable])

        return values

    def match_values(self, cfn):
        """
        Search for values in all parts of the templates that match the searchRegex
        """
        results = []
        results.extend(self._match_values(cfn.template.get("Resources", {}), []))
        # Globals are removed during a transform.  They need to be checked manually
        results.extend(self._match_values(cfn.template.get("Globals", {}), []))
        return results

    def match(self, cfn):
        matches = []

        transforms = cfn.transform_pre["Transform"]
        transforms = transforms if isinstance(transforms, list) else [transforms]
        if "AWS::Serverless-2016-10-31" in cfn.transform_pre["Transform"]:
            return matches

        # Get a list of paths to every leaf node string containing at least one ${parameter}
        parameter_string_paths = self.match_values(cfn)
        # We want to search all of the paths to check if each one contains an 'Fn::Sub'
        for parameter_string_path in parameter_string_paths:
            path = ["Resources"] + parameter_string_path[:-1]
            candidate = parameter_string_path[-1]

            # !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
            # is valid even with aws as the account #.  This handles empty string
            if self.config["partition"] and not re.match(
                r"^\$\{\w+}|\$\{AWS::Partition}|$", candidate[0]
            ):
                # or not re.match(r'^(\$\{\w+}|\$\{AWS::Region}|)$', candidate[1]) or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
                message = "ARN in Resource {0} contains hardcoded Partition in ARN or incorrectly placed Pseudo Parameters"
                matches.append(RuleMatch(path, message.format(path[1])))
            if self.config["region"] and not re.match(
                r"^(\$\{\w+}|\$\{AWS::Region}|)$", candidate[1]
            ):
                # or  or not re.match(r'^\$\{\w+}|\$\{AWS::AccountId}|aws|$', candidate[2]):
                message = "ARN in Resource {0} contains hardcoded Region in ARN or incorrectly placed Pseudo Parameters"
                matches.append(RuleMatch(path, message.format(path[1])))
            if self.config["accountId"] and not re.match(
                r"^\$\{\w+}|\$\{AWS::AccountId}|aws|$", candidate[2]
            ):
                message = "ARN in Resource {0} contains hardcoded AccountId in ARN or incorrectly placed Pseudo Parameters"
                matches.append(RuleMatch(path, message.format(path[1])))

        return matches

Filemanager

Name Type Size Permission Actions
__pycache__ Folder 0755
backup Folder 0755
certificatemanager Folder 0755
cloudformation Folder 0755
cloudfront Folder 0755
codepipeline Folder 0755
dynamodb Folder 0755
ecs Folder 0755
ectwo Folder 0755
elasticache Folder 0755
elb Folder 0755
events Folder 0755
iam Folder 0755
lmbd Folder 0755
properties Folder 0755
rds Folder 0755
route53 Folder 0755
stepfunctions Folder 0755
updatepolicy Folder 0755
ApproachingLimitName.py File 686 B 0644
ApproachingLimitNumber.py File 690 B 0644
BothUpdateReplacePolicyDeletionPolicyNeeded.py File 1.74 KB 0644
CircularDependency.py File 1.18 KB 0644
Configuration.py File 6.97 KB 0644
DeletionPolicy.py File 3.91 KB 0644
DependsOn.py File 2.7 KB 0644
DependsOnObsolete.py File 3.01 KB 0644
HardCodedArnProperties.py File 4.71 KB 0644
LimitName.py File 704 B 0644
LimitNumber.py File 692 B 0644
Modules.py File 2.8 KB 0644
Name.py File 688 B 0644
NoEcho.py File 3.2 KB 0644
PreviousGenerationInstanceType.py File 4.2 KB 0644
ResourceSchema.py File 1.74 KB 0644
RetentionPeriodOnResourceTypesWithAutoExpiringContent.py File 6.42 KB 0644
ServerlessTransform.py File 1.59 KB 0644
UniqueNames.py File 924 B 0644
UpdateReplacePolicy.py File 4.07 KB 0644
UpdateReplacePolicyDeletionPolicyOnStatefulResourceTypes.py File 2.09 KB 0644
__init__.py File 106 B 0644