can_privesc() method only returns one edge_list ?

[huhqwerty]

Question

The principalmapper/querying/presetsprivesc.py can_privesc() method only returns one edge_list (the first one that it finds). This makes sense if only checking if privileges can be escalated. However, it is also called in principalmapper/analysis/find_risks.py and principalmapper/visualizing/graphviz_writer.py to get privilege escalation findings. As it is now, if one role can escalate to five other roles, only the first is returned; the other four are not reported as findings. Is this intentional?

The fix is relatively simple. Add a new method as below and make minor changes to the calling code to handle the extra returned findings:

def get_privesc(graph: Graph, node: Node) -> (bool, List[List[Edge]]):
    """Method for determining if a given Node in a Graph can escalate privileges.

    Returns a bool, List[Edge] tuple. The bool indicates if there is a privesc risk, and the List[Edge] component
    describes the path of edges the node would have to take to gain access to the admin node.
    """
    edge_lists = get_search_list(graph, node)
    searched_nodes = []
    found_edge_lists = []
    for edge_list in edge_lists:
        # check if the node at the end of the list has been looked at yet, skip if so
        end_of_list = edge_list[-1].destination
        if end_of_list in searched_nodes:
            continue

        # add end of list to the searched nodes and do the privesc check
        searched_nodes.append(end_of_list)
        if end_of_list.is_admin:
            found_edge_lists.append(edge_list)

    if len(found_edge_lists) > 0:
        return True, found_edge_lists
    return False, None

Did the Wiki Have an Answer?

If https://github.com/nccgroup/PMapper/wiki does not have an answer, please suggest where to put one.