GCP Public access buckets are never flagged

Question

GCP Public access buckets are never flagged

fgimenezm opened this issue 6 months ago · comments

Federico Gimenez Molinelli commented 6 months ago

When scanning a GCP Project with a bucket with public access enabled (AllUsers), the current ScoutSuite logic will never flag it.

The current ScoutSuite logic is as follows:

    "conditions": [
        "and",
        ["or",
            [
                "cloudstorage.projects.id.buckets.id.member_bindings",
                "withKey",
                "_ARG_0_"
            ],
            [
                "cloudstorage.projects.id.buckets.id.acls",
                "containString",
                "_ARG_0_"
            ]
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]
    ],

but according to Google documentation about public access prevention

the bucket state can only be set to enforced or inherited

so one of these will always be false

        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "enforced"
        ],
        [
            "cloudstorage.projects.id.buckets.id.public_access_prevention",
            "notEqual",
            "inherited"
        ]

making the whole condition always false.

Credits to @martinpestoni who found the issue.

Xavier Garceau-Aranda · Answer 1 · Wed Jan 17 2024 23:27:44 GMT+0800 (China Standard Time)

#1597 fixes this bug