prowler-cloud · pedrooot · Jan 30, 2025
@@ -40,7 +40,7 @@ def execute(self):
                 if detect_secrets_output:
                     secrets_string = ", ".join(
                         [
-                            f"{secret['type']} in variable {original_env_vars[secret['hashed_secret']]}"
+                            f"{secret['type']} in variable {original_env_vars.get(secret['hashed_secret'], 'UNKNOWN')}"
                             for secret in detect_secrets_output
                         ]
                     )

@@ -47,7 +47,7 @@ def execute(self):
                     if detect_secrets_output:
                         secrets_string = ", ".join(
                             [
-                                f"{secret['type']} on the environment variable {original_env_vars[secret['hashed_secret']]}"
+                                f"{secret['type']} on the environment variable {original_env_vars.get(secret['hashed_secret'], 'UNKNOWN')}"
                                 for secret in detect_secrets_output
                             ]
                         )

@@ -121,6 +121,51 @@ def test_function_secrets_in_variables(self):
             )
             assert result[0].resource_tags == []
 
+    def test_function_secrets_in_variables_unknown(self):
+        lambda_client = mock.MagicMock
+        function_name = "test-lambda"
+        function_runtime = "nodejs4.3"
+        function_arn = f"arn:aws:lambda:{AWS_REGION_US_EAST_1}:{AWS_ACCOUNT_NUMBER}:function/{function_name}"
+
+        lambda_client.audit_config = {"secrets_ignore_patterns": []}
+
+        lambda_client.functions = {
+            "function_name": Function(
+                name=function_name,
+                security_groups=[],
+                arn=function_arn,
+                region=AWS_REGION_US_EAST_1,
+                runtime=function_runtime,
+                environment={"db_password": "password¿€œ"},
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=set_mocked_aws_provider(),
+        ), mock.patch(
+            "prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_variables.awslambda_function_no_secrets_in_variables.awslambda_client",
+            new=lambda_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.awslambda.awslambda_function_no_secrets_in_variables.awslambda_function_no_secrets_in_variables import (
+                awslambda_function_no_secrets_in_variables,
+            )
+
+            check = awslambda_function_no_secrets_in_variables()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert result[0].resource_id == function_name
+            assert result[0].resource_arn == function_arn
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Potential secret found in Lambda function {function_name} variables -> Secret Keyword in variable UNKNOWN."
+            )
+            assert result[0].resource_tags == []
+
     def test_function_secrets_in_variables_telegram_token(self):
         lambda_client = mock.MagicMock
         function_name = "test-lambda"

@@ -138,3 +138,55 @@ def test_container_env_var_with_secrets(self):
             assert result[0].resource_arn == task_arn
             assert result[0].region == AWS_REGION_US_EAST_1
             assert result[0].resource_tags == []
+
+    @mock_aws
+    def test_container_env_var_with_secrets_none_value(self):
+        ecs_client = client("ecs", region_name=AWS_REGION_US_EAST_1)
+
+        task_arn = ecs_client.register_task_definition(
+            family=TASK_NAME,
+            containerDefinitions=[
+                {
+                    "name": CONTAINER_NAME,
+                    "image": "ubuntu",
+                    "memory": 128,
+                    "readonlyRootFilesystem": True,
+                    "privileged": False,
+                    "user": "appuser",
+                    "environment": [
+                        {
+                            "name": ENV_VAR_NAME_WITH_SECRETS,
+                            "value": "password¿€œ",
+                        }
+                    ],
+                }
+            ],
+        )["taskDefinition"]["taskDefinitionArn"]
+
+        from prowler.providers.aws.services.ecs.ecs_service import ECS
+
+        mocked_aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+
+        with patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=mocked_aws_provider,
+        ), patch(
+            "prowler.providers.aws.services.ecs.ecs_task_definitions_no_environment_secrets.ecs_task_definitions_no_environment_secrets.ecs_client",
+            new=ECS(mocked_aws_provider),
+        ):
+            from prowler.providers.aws.services.ecs.ecs_task_definitions_no_environment_secrets.ecs_task_definitions_no_environment_secrets import (
+                ecs_task_definitions_no_environment_secrets,
+            )
+
+            check = ecs_task_definitions_no_environment_secrets()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Potential secrets found in ECS task definition {TASK_NAME} with revision {TASK_REVISION}: Secrets in container test-container -> Secret Keyword on the environment variable UNKNOWN."
+            )
+            assert result[0].resource_id == f"{TASK_NAME}:{TASK_REVISION}"
+            assert result[0].resource_arn == task_arn
+            assert result[0].region == AWS_REGION_US_EAST_1
+            assert result[0].resource_tags == []