search

Netflix / security_monkey

Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
Apache License 2.0
4.35k stars 799 forks source link

AttributeError exception during find_changes execution - str has no attribute code #986

Open fcano opened 6 years ago

fcano commented 6 years ago

Description of issue:

I execute monkey find_changes and after retrieving at least some information it throws this exception:

2018-03-08 11:11:18,988 DEBUG: Adding issue: gcsbucket/EUROPE-WEST1/username/bucketname
    OWNERS max exceeded in bucket ACL. -- None [in /usr/local/src/security_monkey/security_monkey/auditor.py:636]
Traceback (most recent call last):
  File "/usr/local/src/security_monkey/venv/bin/monkey", line 11, in <module>
    load_entry_point('security-monkey', 'console_scripts', 'monkey')()
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 786, in main
    manager.run()
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 397, in run
    result = self.handle(sys.argv[0], sys.argv[1:])
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/__init__.py", line 376, in handle
    return handle(app, *positional_args, **kwargs)
  File "/usr/local/src/security_monkey/venv/lib/python2.7/site-packages/Flask_Script-0.6.3-py2.7.egg/flask_script/commands.py", line 145, in handle
    return self.run(*args, **kwargs)
  File "/usr/local/src/security_monkey/security_monkey/manage.py", line 91, in find_changes
    manual_run_change_finder(account_names, monitor_names)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 183, in manual_run_change_finder
    find_changes(account, tech)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 216, in find_changes
    audit_changes([account_name], [monitor_name], False, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 240, in audit_changes
    _audit_changes(account, monitor.auditors, send_report, debug)
  File "/usr/local/src/security_monkey/security_monkey/task_scheduler/tasks.py", line 292, in _audit_changes
    au.audit_objects()
  File "/usr/local/src/security_monkey/security_monkey/auditor.py", line 673, in audit_objects
    method(item)
  File "/usr/local/src/security_monkey/security_monkey/auditors/gcp/gcs/bucket.py", line 165, in check_default_object_acl
    process_issues(self, ok, errors, item)
  File "/usr/local/src/security_monkey/security_monkey/auditors/gcp/util.py", line 43, in process_issues
    sev = auditor.gcp_config.ISSUE_MAP[issue.code]['score']
AttributeError: 'str' object has no attribute 'code'
mikegrima commented 6 years ago

I'm wondering if this is the issue: https://github.com/Netflix/security_monkey/blob/d1a13649f74c03f466a1097aa725ac5ac028a00e/security_monkey/auditors/gcp/gcs/bucket.py#L134

That returns a list with a string. So it's assuming the string is an object and failing when it gets to: https://github.com/Netflix/security_monkey/blob/d1a13649f74c03f466a1097aa725ac5ac028a00e/security_monkey/auditors/gcp/util.py#L43

mikegrima commented 6 years ago

The solution is probably doing something like this: https://github.com/Netflix/security_monkey/blob/d1a13649f74c03f466a1097aa725ac5ac028a00e/security_monkey/auditors/gcp/gcs/bucket.py#L91-L92