Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

@aws_handle_regions can swallow exceptions and cause get_* functions to return 0 items incorrectly #1398

Open
achantavy opened this issue Dec 6, 2024 · 1 comment
Open

@aws_handle_regions can swallow exceptions and cause get_* functions to return 0 items incorrectly #1398

achantavy opened this issue Dec 6, 2024 · 1 comment
Labels
AWS Related to cartography's AWS module bug Something isn't working

Comments

@achantavy
Copy link
Contributor

Bug Template

Description:

What issue is being seen? Describe what should be happening instead of the bug, for example: Cartography should not crash, the expected value isn't returned, the data schema is wrong, etc.

This is a bad one.

To Reproduce:

Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.

  1. Create a resource policy on a dynamodb table that denies the describe-dynamodb-table action.
  2. Run the cartography sync.

Logs:

If applicable, copy and paste your console log with the failing stack trace.

**Expected behavior: **

cartography should either

  • (best effort approach) skip over the dynamodbtable that it is unable to describe, log a warning message, continue enumerating the other tables, and return the data that it was able to retrieve
  • (all or nothing strict fail approach) or it should raise an exception

Actual behavior:

cartography writes a warning message, swallows the exception, and returns 0 items in the list.

Python 3.10.12 (main, Nov  6 2024, 20:22:13) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import boto3
>>> b3session = boto3.Session(profile_name='profile')
>>> from cartography.intel.aws.dynamodb import get_dynamodb_tables
>>> tables = get_dynamodb_tables(b3session, 'us-east-1')
User: arn:aws:sts::account:assumed-role/read-only/botocore-session-1733519864 is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-1:account:table/sample-datastores-production-dynamo-table with an explicit deny in a resource-based policy in this region. Skipping...
>>> len(tables)
0

This is dangerous because it's very difficult to trace why the graph incorrectly returned 0 items, and this affects all functions that are decorated with @aws_handle_regions.

Please complete the following information::

  • Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11]
    0.95.0
@achantavy achantavy added bug Something isn't working AWS Related to cartography's AWS module labels Dec 6, 2024
@ramonpetgrave64
Copy link
Collaborator

We will need to debug, but I suspect the unreturned error should be AccessDenied. think maybe the call to describe each table needs to be moved out and done in a separate function. This way the listing function should return as normal, but each of the describe_table calls may have their own individual error.

cartography/cartography/intel/aws/dynamodb.py

Line 25 in 7feb218

def get_dynamodb_tables(boto3_session: boto3.session.Session, region: str) -> List[Dict]:

example:

@aws_handle_regions
def list_dynamodb_tables(…)
    …

@aws_handle_regions
def describe_dynamodb_tables(table_names, .)
    …

tables_names = list_dynamodb_tables(…)
tables = describe_dynamodb_tables(table_names, .)

btw this might be a good candidate for concurrency.

cartography/cartography/intel/aws/ecr.py

Line 159 in 7feb218

to_synchronous(*[async_get_images(repo) for repo in repositories])

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
AWS Related to cartography's AWS module bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ramonpetgrave64 @achantavy