search

trendmicro / cloudone-filestorage-plugins

Trend Micro Cloud One File Storage Security plugins reference code.
https://cloudone.trendmicro.com
Apache License 2.0
42 stars 51 forks source link

S3 Object is promoted without actual scanning happening (invalid license status) #44

Closed marinpurgar closed 3 years ago

marinpurgar commented 3 years ago

post-scan-actions/aws-python-promote-or-quarantine

Describe the bug

In case where the licence is invalid (or expired?) the S3 object is promoted to the Promoted S3 Bucket anyway. This is potential threat situation since the S3 Object with possible malware payload is promoted into the Promoted S3 Bucket and propagated into the secure system.

To reproduce

  1. Create the Scanning and Storage Stacks.
  2. Create the Promote or Quarantine Post Scan Action Stack.
  3. Do not deploy the Scanning and Storage Stacks in the Trend Micro File Storage Security Console. (Do not register the <Scanner|Storage>StackManagementRoleARN management roles).
  4. Create the Object in the Input S3 Bucket.
  5. Object is promoted to the S3 Promoted Bucket without being scanned.

Expected behavior

S3 Object stays in the Input S3 Bucket and Promote or Quarantine Lambda throws an exception.

In case when the scanner_status == -1 in the SQS Message Payload the S3 Object shouldn't be promoted.

Additional context

The SNS Message Payload sent to the ScanResultTopic:

{
    {
    "timestamp": 1617859212.364275,
    "sqs_message_id": "380227ed-148a-46a1-8f7c-42bd0f67176c",
    "file_url": "https://input-bucket-s3.eu-central-1.amazonaws.com/potentialiy_infected_file.zip",
    "scanner_status": -1,
    "scanner_status_message": "invalid license status",
    "scanning_result": {
        "TotalBytesOfFile": 0,
        "Findings": [],
        "Error": "failed to verify license: failed to verify jwt: jwt is invalid: invalid token supplied"
    }
}
carpusherw commented 3 years ago

Hi @marinpurgar , Thanks for reporting this. This is indeed a bug. In terms of expected behavior, I suppose you not only care license error, right? How about we throw the error when scanner_status !=0? Would it better suit your needs?

marinpurgar commented 3 years ago

Yes. Throwing an exception on scanner_status != 0 would be the proper excepted behavior. I have just documented the observed behavior with the "invalid license status".

carpusherw commented 3 years ago

Hi @marinpurgar I figured it's better not to throw an exception but only print with some meaningful logs. Please see the detail in the PR ☝️ . Let me know if that's not addressing your need.

marinpurgar commented 3 years ago

LGTM, approved.