search

nccgroup / ScoutSuite

Multi-Cloud Security Auditing Tool
GNU General Public License v2.0
6.77k stars 1.07k forks source link

GCP Public access buckets are never flagged #1596

Open fgimenezm opened 10 months ago

fgimenezm commented 10 months ago

When scanning a GCP Project with a bucket with public access enabled (AllUsers), the current ScoutSuite logic will never flag it.

The current ScoutSuite logic is as follows:

    "conditions": [
        "and",
        ["or",
            [
                "cloudstorage.projects.id.buckets.id.member_bindings",
                "withKey",
                "_ARG_0_"
            ],
            [
                "cloudstorage.projects.id.buckets.id.acls",
                "containString",
                "_ARG_0_"
            ]
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]
    ],

but according to Google documentation about public access prevention

the bucket state can only be set to enforced or inherited

so one of these will always be false

        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]

making the whole condition always false.

Credits to @martinpestoni who found the issue.

x4v13r64 commented 10 months ago

https://github.com/nccgroup/ScoutSuite/pull/1597 fixes this bug