fix(route53): resolve false positive in dangling IP check (#9952)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
2026-03-21 18:58:04 +00:00 · 2026-03-17 16:32:48 +05:30
parent 451071d694
commit df680ef277
4 changed files with 130 additions and 13 deletions
--- a/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py
+++ b/tests/providers/aws/services/route53/route53_dangling_ip_subdomain_takeover/route53_dangling_ip_subdomain_takeover_test.py
@@ -3,7 +3,11 @@ from unittest import mock
 from boto3 import client, resource
 from moto import mock_aws

-from tests.providers.aws.utils import AWS_REGION_US_EAST_1, set_mocked_aws_provider
+from tests.providers.aws.utils import (
+    AWS_REGION_US_EAST_1,
+    AWS_REGION_US_WEST_2,
+    set_mocked_aws_provider,
+)

 HOSTED_ZONE_NAME = "testdns.aws.com."

@@ -309,7 +313,10 @@ class Test_route53_dangling_ip_subdomain_takeover:
        from prowler.providers.aws.services.ec2.ec2_service import EC2
        from prowler.providers.aws.services.route53.route53_service import Route53

-        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+        aws_provider = set_mocked_aws_provider(
+            [AWS_REGION_US_EAST_1],
+            expected_checks=["route53_dangling_ip_subdomain_takeover"],
+        )

        with mock.patch(
            "prowler.providers.common.provider.Provider.get_global_provider",
@@ -387,7 +394,10 @@ class Test_route53_dangling_ip_subdomain_takeover:
        from prowler.providers.aws.services.ec2.ec2_service import EC2
        from prowler.providers.aws.services.route53.route53_service import Route53

-        aws_provider = set_mocked_aws_provider([AWS_REGION_US_EAST_1])
+        aws_provider = set_mocked_aws_provider(
+            [AWS_REGION_US_EAST_1],
+            expected_checks=["route53_dangling_ip_subdomain_takeover"],
+        )

        with mock.patch(
            "prowler.providers.common.provider.Provider.get_global_provider",
@@ -426,3 +436,69 @@ class Test_route53_dangling_ip_subdomain_takeover:
                        result[0].resource_arn
                        == f"arn:{aws_provider.identity.partition}:route53:::hostedzone/{zone_id.replace('/hostedzone/', '')}"
                    )
+
+    @mock_aws
+    def test_hosted_zone_eip_cross_region(self):
+        """EIP in us-west-2 referenced by Route53 A record should PASS even when auditing us-east-1 only."""
+        conn = client("route53", region_name=AWS_REGION_US_EAST_1)
+        ec2_west = client("ec2", region_name=AWS_REGION_US_WEST_2)
+
+        address = "17.5.7.3"
+        ec2_west.allocate_address(Domain="vpc", Address=address)
+
+        zone_id = conn.create_hosted_zone(
+            Name=HOSTED_ZONE_NAME, CallerReference=str(hash("foo"))
+        )["HostedZone"]["Id"]
+
+        record_set_name = "foo.bar.testdns.aws.com."
+        record_ip = address
+        conn.change_resource_record_sets(
+            HostedZoneId=zone_id,
+            ChangeBatch={
+                "Changes": [
+                    {
+                        "Action": "CREATE",
+                        "ResourceRecordSet": {
+                            "Name": record_set_name,
+                            "Type": "A",
+                            "ResourceRecords": [{"Value": record_ip}],
+                        },
+                    }
+                ]
+            },
+        )
+        from prowler.providers.aws.services.ec2.ec2_service import EC2
+        from prowler.providers.aws.services.route53.route53_service import Route53
+
+        # Audit only us-east-1 but enable both regions so Route53 finds the cross-region EIP
+        aws_provider = set_mocked_aws_provider(
+            audited_regions=[AWS_REGION_US_EAST_1],
+            enabled_regions={AWS_REGION_US_EAST_1, AWS_REGION_US_WEST_2},
+            expected_checks=["route53_dangling_ip_subdomain_takeover"],
+        )
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ):
+            with mock.patch(
+                "prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover.route53_client",
+                new=Route53(aws_provider),
+            ):
+                with mock.patch(
+                    "prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover.ec2_client",
+                    new=EC2(aws_provider),
+                ):
+                    from prowler.providers.aws.services.route53.route53_dangling_ip_subdomain_takeover.route53_dangling_ip_subdomain_takeover import (
+                        route53_dangling_ip_subdomain_takeover,
+                    )
+
+                    check = route53_dangling_ip_subdomain_takeover()
+                    result = check.execute()
+
+                    assert len(result) == 1
+                    assert result[0].status == "PASS"
+                    assert (
+                        result[0].status_extended
+                        == f"Route53 record {record_ip} (name: {record_set_name}) in Hosted Zone {HOSTED_ZONE_NAME} is not a dangling IP."
+                    )