It seems like if the --scps CLI flag does not have any affect (always set to true)

[sethsec-bf]

Describe the bug If pmapper loads the org data, and the org includes SCPs, I get the same output with the query preset privesc * regardless of whether I use the --scps flag or not.

To Reproduce

1. There is 1 SCP, in playground account, attached to dev account. Let's say for example the SCP deny's iam:passrole.
2. Using playground creds, run pmapper orgs create
3. Using dev creds, run pmapper graph create --include-region us-east-1
4. Using dev creds, run pmapper orgs update --org ID
5. Using dev creds, run pmapper query --scps 'preset privesc *'
6. All looks good
7. Using dev creds, run pmapper query 'preset privesc *'
8. Same exact output as step 5, which was unexpected.

Expected behavior I would expect step 7 to ignore the SCPs applied to the dev account. Not that I can think of a reason I would ever need that output, but based on the existence of the --scps flag, that's would I would expect.

[ncc-erik-steringer]

The --scps flag has no effect on this preset query. Instead of authorization checks, it's doing breadth-first searches of the Graph starting at each Node. However, that is a good reminder that another preset query called endgame should allow users to include SCPs and I'll need to fix that.

I think https://github.com/nccgroup/PMapper/issues/94 is the root cause of the unexpected behavior here. The edges and admins are defined when the Graph is created, so any mistakes there will be reflected in the privesc query, which is why you're getting the unexpected output.

[ncc-erik-steringer]

v1.1.4 is out, closing.