CR

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>

Author: shirady

src/endpoint/iam/iam_utils.js

@@ -677,17 +677,23 @@ function _validate_json_policy_document(input_policy_document) {
 
 /**
  * The function will validate the policy document basic structure
- * (currently - only that we don't have Principal NotPrincipal)
+ * (currently - only that we don't have Principal NotPrincipal in every Statement)
  * @param {object} policy_document
  */
 
  function _validate_policy_document_iam_structure(policy_document) {
+    // as we check this before the schema check - here we ensure that we have the Statement as array and it is iterable
+     if (!policy_document.Statement || !Array.isArray(policy_document.Statement)) {
+         const { code, http_code, type } = IamError.MalformedPolicyDocument;
+         const message_with_details = 'Syntax errors in policy.';
+         throw new IamError({ code, message: message_with_details, http_code, type });
+     }
      for (const statement of policy_document.Statement) {
          const statement_principal = statement.Principal || statement.NotPrincipal;
          if (statement_principal) {
-            const { code, http_code, type } = IamError.MalformedPolicyDocument;
-            const message_with_details = 'Policy document should not specify a principal.';
-            throw new IamError({ code, message: message_with_details, http_code, type });
+             const { code, http_code, type } = IamError.MalformedPolicyDocument;
+             const message_with_details = 'Policy document should not specify a principal.';
+             throw new IamError({ code, message: message_with_details, http_code, type });
          }
      }
  }