fix: remove expansion bitmap check from segment filter in traversal

SpecterOps · Feb 6, 2024 · 33de16e · 33de16e
1 parent 3fe73a9
commit 33de16e
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 15 deletions.
diff --git a/cmd/api/src/test/integration/harnesses.go b/cmd/api/src/test/integration/harnesses.go
@@ -349,7 +349,7 @@ type InboundControlHarness struct {
 
 func (s *InboundControlHarness) Setup(testCtx *GraphTestContext) {
 	s.ControlledUser = testCtx.NewActiveDirectoryUser("ControlledUser", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
-	s.ControlledGroup = testCtx.NewActiveDirectoryUser("ControlledGroup", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
+	s.ControlledGroup = testCtx.NewActiveDirectoryGroup("ControlledGroup", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
 	s.GroupA = testCtx.NewActiveDirectoryGroup("GroupA", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
 	s.GroupB = testCtx.NewActiveDirectoryGroup("GroupB", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
 	s.GroupC = testCtx.NewActiveDirectoryGroup("GroupC", testCtx.Harness.RootADHarness.ActiveDirectoryDomainSID)
@@ -365,6 +365,7 @@ func (s *InboundControlHarness) Setup(testCtx *GraphTestContext) {
 
 	testCtx.NewRelationship(s.GroupA, s.GroupB, ad.MemberOf)
 	testCtx.NewRelationship(s.UserA, s.GroupB, ad.MemberOf)
+	testCtx.NewRelationship(s.UserG, s.ControlledGroup, ad.MemberOf)
 	testCtx.NewRelationship(s.UserG, s.GroupC, ad.MemberOf)
 	testCtx.NewRelationship(s.UserH, s.GroupD, ad.MemberOf)
 

diff --git a/packages/go/dawgs/traversal/traversal.go b/packages/go/dawgs/traversal/traversal.go
@@ -484,16 +484,14 @@ func UniquePathSegmentFilter(delegate SegmentFilter) SegmentFilter {
 // AcyclicNodeFilter is a SegmentFilter constructor that will allow traversal to a node only once. It will ignore all
 // but the first inbound or outbound edge that traverses to it.
 func AcyclicNodeFilter(filter SegmentFilter) SegmentFilter {
-	traversalBitmap := cardinality.ThreadSafeDuplex(cardinality.NewBitmap32())
-
 	return func(next *graph.PathSegment) bool {
 		// Bail on counting ourselves
 		if next.IsCycle() {
 			return false
 		}
 
 		// Descend only if we've never seen this node before.
-		return filter(next) && traversalBitmap.CheckedAdd(next.Node.ID.Uint32())
+		return filter(next)
 	}
 }
 

diff --git a/packages/go/dawgs/traversal/traversal_test.go b/packages/go/dawgs/traversal/traversal_test.go
@@ -1,26 +1,26 @@
 // Copyright 2023 Specter Ops, Inc.
-// 
+//
 // Licensed under the Apache License, Version 2.0
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
-// 
+//
 //     http://www.apache.org/licenses/LICENSE-2.0
-// 
+//
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-// 
+//
 // SPDX-License-Identifier: Apache-2.0
 
 package traversal
 
 import (
 	"testing"
 
-	"github.com/stretchr/testify/require"
 	"github.com/specterops/bloodhound/dawgs/graph"
+	"github.com/stretchr/testify/require"
 )
 
 var (
@@ -56,12 +56,6 @@ func TestAcyclicSegmentVisitor(t *testing.T) {
 		return true
 	})
 
-	// Visiting the segment for the first time should pass
-	require.True(t, visitor(node1Node3Segment))
-
-	// Do not allow retraversal to the same node
-	require.False(t, visitor(node2Node3Segment))
-
 	// Disallow cycles
 	require.False(t, visitor(cycleSegment))
 }