in src/rules/s3/S3BucketSSLRequestsOnly.ts [133:177]
function checkMatchingResources(
node: CfnBucketPolicy,
bucketLogicalId: string,
bucketName: string | undefined,
resources: any
): boolean {
if (!Array.isArray(resources)) {
return false;
}
const bucketResourceRegexes = Array<string>();
const bucketObjectsRegexes = Array<string>();
bucketResourceRegexes.push(`(${bucketLogicalId}(?![\\w\\-]))`);
bucketObjectsRegexes.push(`(${bucketLogicalId}(?![\\w\\-]).*\\/\\*)`);
if (bucketName !== undefined) {
bucketResourceRegexes.push(`(${bucketName}(?![\\w\\-]))`);
bucketObjectsRegexes.push(`(${bucketName}(?![\\w\\-]).*\\/\\*)`);
}
const fullBucketResourceRegex = new RegExp(bucketResourceRegexes.join('|'));
const fullBucketObjectsRegex = new RegExp(bucketObjectsRegexes.join('|'));
let matchedBucketResource = false;
let matchedObjectsResource = false;
for (const resource of resources) {
const resolvedResourceString = JSON.stringify(
Stack.of(node).resolve(resource)
);
if (
matchedBucketResource === false &&
fullBucketResourceRegex.test(resolvedResourceString) &&
!resolvedResourceString.includes('/')
) {
matchedBucketResource = true;
} else if (
matchedObjectsResource === false &&
fullBucketObjectsRegex.test(resolvedResourceString) &&
resolvedResourceString.indexOf('/') ===
resolvedResourceString.lastIndexOf('/')
) {
matchedObjectsResource = true;
}
if (matchedBucketResource === true && matchedObjectsResource === true) {
return true;
}
}
return false;
}