@@ -1239,7 +1239,6 @@ var getAttachedELBs = function(cache, source, region, resourceId, lbField, lbAt
12391239 return elbs ;
12401240} ;
12411241
1242-
12431242var checkNetworkExposure = function ( cache , source , subnets , securityGroups , elbs , region , results , resource ) {
12441243 var internetExposed = '' ;
12451244 var isSubnetPrivate = false ;
@@ -1249,41 +1248,41 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
12491248 if ( resource . functionUrlConfig && resource . functionUrlConfig . data ) {
12501249 if ( resource . functionUrlConfig . data . AuthType === 'NONE' ) {
12511250 internetExposed += 'public function URL' ;
1252- } else if ( resource . functionUrlConfig . data . AuthType === 'AWS_IAM' &&
1253- resource . functionPolicy && resource . functionPolicy . data ) {
1251+ } else if ( resource . functionUrlConfig . data . AuthType === 'AWS_IAM' &&
1252+ resource . functionPolicy && resource . functionPolicy . data ) {
12541253 let authConfig = resource . functionPolicy . data ;
12551254 if ( authConfig . Policy ) {
12561255 let statements = normalizePolicyDocument ( authConfig . Policy ) ;
1257-
1256+
12581257 if ( statements ) {
12591258 let hasDenyAll = false ;
12601259 let hasPublicAllow = false ;
12611260 let hasRestrictiveConditions = false ;
1262-
1261+
12631262 for ( let statement of statements ) {
12641263 // Check for explicit deny statements first
12651264 if ( statement . Effect === 'Deny' ) {
12661265 // Check if there's a deny for all principals
1267- if ( ( ! statement . Condition || Object . keys ( statement . Condition ) . length === 0 ) &&
1266+ if ( ( ! statement . Condition || Object . keys ( statement . Condition ) . length === 0 ) &&
12681267 globalPrincipal ( statement . Principal ) ) {
12691268 hasDenyAll = true ;
12701269 break ;
12711270 }
1272-
1271+
12731272 // Check for deny with IP restrictions
1274- if ( statement . Condition &&
1275- ( statement . Condition [ 'NotIpAddress' ] ||
1276- statement . Condition [ 'IpAddress' ] ) ) {
1273+ if ( statement . Condition &&
1274+ ( statement . Condition [ 'NotIpAddress' ] ||
1275+ statement . Condition [ 'IpAddress' ] ) ) {
12771276 hasRestrictiveConditions = true ;
12781277 }
12791278 } else if ( statement . Effect === 'Allow' ) {
12801279 // Skip if the statement doesn't include relevant Lambda actions
1281- if ( ! statement . Action ||
1282- ( ! Array . isArray ( statement . Action ) ?
1280+ if ( ! statement . Action ||
1281+ ( ! Array . isArray ( statement . Action ) ?
12831282 ! statement . Action . includes ( 'lambda:InvokeFunctionUrl' ) :
1284- ! statement . Action . some ( action =>
1285- action === '*' ||
1286- action === 'lambda:*' ||
1283+ ! statement . Action . some ( action =>
1284+ action === '*' ||
1285+ action === 'lambda:*' ||
12871286 action === 'lambda:InvokeFunctionUrl'
12881287 ) ) ) {
12891288 continue ;
@@ -1303,17 +1302,17 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
13031302 'aws:PrincipalArn' ,
13041303 'aws:SourceAccount'
13051304 ] ;
1306-
1307- const hasRestriction = restrictiveConditions . some ( condition =>
1308- Object . keys ( statement . Condition ) . some ( key =>
1305+
1306+ const hasRestriction = restrictiveConditions . some ( condition =>
1307+ Object . keys ( statement . Condition ) . some ( key =>
13091308 key . toLowerCase ( ) . includes ( condition . toLowerCase ( ) )
13101309 )
13111310 ) ;
1312-
1311+
13131312 if ( hasRestriction ) {
13141313 hasRestrictiveConditions = true ;
13151314 } else if ( statement . Condition [ 'StringEquals' ] &&
1316- statement . Condition [ 'StringEquals' ] [ 'lambda:FunctionUrlAuthType' ] === 'NONE' ) {
1315+ statement . Condition [ 'StringEquals' ] [ 'lambda:FunctionUrlAuthType' ] === 'NONE' ) {
13171316 hasPublicAllow = true ;
13181317 }
13191318 }
@@ -1323,8 +1322,8 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
13231322
13241323 // Only mark as exposed if we have a public allow and no restrictions
13251324 if ( hasPublicAllow && ! hasDenyAll && ! hasRestrictiveConditions ) {
1326- internetExposed += internetExposed . length ?
1327- ', function URL with global IAM access' :
1325+ internetExposed += internetExposed . length ?
1326+ ', function URL with global IAM access' :
13281327 'function URL with global IAM access' ;
13291328 }
13301329 }
@@ -1352,19 +1351,19 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
13521351 [ 'apigateway' , 'getIntegration' , region , api . id ] ) ;
13531352
13541353 if ( ! getIntegration || getIntegration . err || ! Object . keys ( getIntegration ) . length ) continue ;
1355-
1354+
13561355 for ( let apiResource of Object . values ( getIntegration ) ) {
13571356 // Check if any integration points to this Lambda function
13581357 let lambdaIntegrations = Object . values ( apiResource ) . filter ( integration => {
1359- return integration && integration . data && ( integration . data . type === 'AWS' || integration . data . type === 'AWS_PROXY' ) &&
1360- integration . data . uri &&
1358+ return integration && integration . data && ( integration . data . type === 'AWS' || integration . data . type === 'AWS_PROXY' ) &&
1359+ integration . data . uri &&
13611360 integration . data . uri . includes ( resource . functionArn ) ;
13621361 } ) ;
13631362
13641363 if ( lambdaIntegrations . length ) {
13651364 internetExposed += internetExposed . length ? `, API Gateway ${ api . name } ` : `API Gateway ${ api . name } ` ;
13661365 }
1367- }
1366+ }
13681367 }
13691368 }
13701369 }
@@ -1375,7 +1374,7 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
13751374 }
13761375
13771376 if ( ! resource . functionArn ) {
1378- // Scenario 1: check if resource is in a private subnet
1377+ // Scenario 1: check if resource is in a private subnet
13791378 let subnetRouteTableMap , privateSubnets ;
13801379 var describeSubnets = helpers . addSource ( cache , source ,
13811380 [ 'ec2' , 'describeSubnets' , region ] ) ;
@@ -1500,15 +1499,13 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
15001499 if ( elbs && elbs . length ) {
15011500 if ( ! describeSecurityGroups || ! describeSecurityGroups . data ) {
15021501 describeSecurityGroups = helpers . addSource ( cache , source ,
1503- [ 'ec2' , 'describeSecurityGroups' , region ] ) ;
1502+ [ 'ec2' , 'describeSecurityGroups' , region ] ) ;
15041503 }
15051504
15061505 elbs . forEach ( lb => {
15071506 let isLBPublic = false ;
15081507 if ( lb . Scheme && lb . Scheme . toLowerCase ( ) === 'internet-facing' ) {
15091508 if ( lb . SecurityGroups && lb . SecurityGroups . length ) {
1510- var describeSecurityGroups = helpers . addSource ( cache , source ,
1511- [ 'ec2' , 'describeSecurityGroups' , region ] ) ;
15121509 if ( describeSecurityGroups &&
15131510 ! describeSecurityGroups . err && describeSecurityGroups . data && describeSecurityGroups . data . length ) {
15141511 let elbSGs = describeSecurityGroups . data . filter ( sg => lb . SecurityGroups . includes ( sg . GroupId ) ) ;
@@ -1533,7 +1530,7 @@ var checkNetworkExposure = function(cache, source, subnets, securityGroups, elbs
15331530
15341531let getLambdaTargetELBs = function ( cache , source , region ) {
15351532 let lambdaELBMap = { } ;
1536-
1533+
15371534 var describeLoadBalancersv2 = helpers . addSource ( cache , source ,
15381535 [ 'elbv2' , 'describeLoadBalancers' , region ] ) ;
15391536
@@ -1545,18 +1542,18 @@ let getLambdaTargetELBs = function(cache, source, region) {
15451542 var describeTargetGroups = helpers . addSource ( cache , source ,
15461543 [ 'elbv2' , 'describeTargetGroups' , region , lb . DNSName ] ) ;
15471544
1548- if ( ! describeTargetGroups || describeTargetGroups . err || ! describeTargetGroups . data ||
1545+ if ( ! describeTargetGroups || describeTargetGroups . err || ! describeTargetGroups . data ||
15491546 ! describeTargetGroups . data . TargetGroups ) return ;
15501547
15511548 describeTargetGroups . data . TargetGroups . forEach ( tg => {
15521549 var describeTargetHealth = helpers . addSource ( cache , source ,
15531550 [ 'elbv2' , 'describeTargetHealth' , region , tg . TargetGroupArn ] ) ;
15541551
1555- if ( ! describeTargetHealth || describeTargetHealth . err || ! describeTargetHealth . data ||
1552+ if ( ! describeTargetHealth || describeTargetHealth . err || ! describeTargetHealth . data ||
15561553 ! describeTargetHealth . data . TargetHealthDescriptions ) return ;
15571554
15581555 describeTargetHealth . data . TargetHealthDescriptions . forEach ( target => {
1559- if ( target . Target && target . Target . Id &&
1556+ if ( target . Target && target . Target . Id &&
15601557 target . Target . Id . startsWith ( 'arn:aws:lambda' ) ) {
15611558 if ( ! lambdaELBMap [ target . Target . Id ] ) {
15621559 lambdaELBMap [ target . Target . Id ] = [ ] ;
@@ -1567,21 +1564,21 @@ let getLambdaTargetELBs = function(cache, source, region) {
15671564 targetGroupArn : tg . TargetGroupArn ,
15681565 targets : [ target . Target ]
15691566 } ) ;
1570-
1567+
15711568 // Check if there's an active listener for this target group
15721569 let hasListener = false ;
15731570 var describeListeners = helpers . addSource ( cache , source ,
15741571 [ 'elbv2' , 'describeListeners' , region , lb . DNSName ] ) ;
1575-
1576- if ( describeListeners && describeListeners . data &&
1572+
1573+ if ( describeListeners && describeListeners . data &&
15771574 describeListeners . data . Listeners ) {
15781575 hasListener = describeListeners . data . Listeners . some ( listener =>
15791576 listener . DefaultActions . some ( action =>
15801577 action . TargetGroupArn === tg . TargetGroupArn
15811578 )
15821579 ) ;
15831580 }
1584-
1581+
15851582 if ( hasListener ) {
15861583 lambdaELBMap [ target . Target . Id ] . push ( lb ) ;
15871584 }
0 commit comments