GCP Public access buckets are never flagged
fgimenezm opened this issue · comments
Federico Gimenez Molinelli commented
When scanning a GCP Project with a bucket with public access enabled (AllUsers), the current ScoutSuite logic will never flag it.
The current ScoutSuite logic is as follows:
"conditions": [
"and",
["or",
[
"cloudstorage.projects.id.buckets.id.member_bindings",
"withKey",
"_ARG_0_"
],
[
"cloudstorage.projects.id.buckets.id.acls",
"containString",
"_ARG_0_"
]
],
[
"cloudstorage.projects.id.buckets.id.public_access_prevention",
"notEqual",
"enforced"
],
[
"cloudstorage.projects.id.buckets.id.public_access_prevention",
"notEqual",
"inherited"
]
],
but according to Google documentation about public access prevention
the bucket state can only be set to enforced or inherited
so one of these will always be false
[
"cloudstorage.projects.id.buckets.id.public_access_prevention",
"notEqual",
"enforced"
],
[
"cloudstorage.projects.id.buckets.id.public_access_prevention",
"notEqual",
"inherited"
]
making the whole condition always false.
Credits to @martinpestoni who found the issue.
Xavier Garceau-Aranda commented
#1597 fixes this bug