Skip to content

Fix(gcp): update cloudsql api and edge case configurations #1522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 5, 2023
Merged

Fix(gcp): update cloudsql api and edge case configurations #1522

merged 4 commits into from
Jun 5, 2023

Conversation

@saez0pub
Copy link
Contributor

@saez0pub saez0pub commented Apr 5, 2023
edited
Loading

Description

  • fix(gcp): None as cloudfunctions environment_variables
    If we have no environment variable on cloud function
    AttributeError: 'NoneType' object has no attribute 'items'
    in get_environment_secrets function

  • fix(gcp): False positive on pubsub only cloud functions
    If an app is not accessible with an http url, we have a false positive
    on the http exposure

  • fix(gcp): gke cluster subnetwork can be cross project

  • fix(gcp): sql-component api is deprecated
    See https://cloud.google.com/sql/docs/mysql/admin-api/rest

Type of change

Select the relevant option(s):

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works (optional)
  • New and existing unit tests pass locally with my changes

saez0pub added 4 commits April 5, 2023 09:39
@saez0pub
fix(gcp): sql-component api is deprecated
b75d315 
See https://cloud.google.com/sql/docs/mysql/admin-api/rest
@saez0pub
fix(gcp): gke cluster subnetwork can be cross project
6cd1de5
@saez0pub
fix(gcp): False positive on pubsup only cloud functions
6584afb 
If an app is not accessible with an http url, we have a false positive
on th http exposure
@saez0pub
fix(gcp): None as cloudfunctions environment_variables
b1d9602 
If we have no environment variable on cloud function
AttributeError: 'NoneType' object has no attribute 'items'
in get_environment_secrets function
@saez0pub saez0pub changed the title Fix/gcp audit Fix(gcp): update cloudsql api and edge case configurations Apr 5, 2023
@liyun-li liyun-li self-assigned this May 18, 2023
@liyun-li
Copy link
Contributor

liyun-li commented May 18, 2023

Great find; give us some time to look at please!

@x4v13r64
Copy link
Collaborator

x4v13r64 commented Jun 1, 2023

LGTM

@liyun-li
Copy link
Contributor

liyun-li commented Jun 5, 2023

I should have Google'd https://cloud.google.com/logging/docs/reference/audit/appengine/rest/Shared.Types/SecurityLevel
Sorry

liyun-li
liyun-li approved these changes Jun 5, 2023
View reviewed changes
Copy link
Contributor

@liyun-li liyun-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

ScoutSuite/providers/gcp/resources/functions/functions_v1.py
function_dict['docker_registry'] = raw_function['dockerRegistry']
function_dict['url'] = raw_function.get('httpsTrigger', {}).get('url')
function_dict['security_level'] = raw_function.get('httpsTrigger', {}).get('securityLevel')
function_dict['security_level'] = 'SECURE_ALWAYS' if function_dict['url'] is None else raw_function.get('httpsTrigger', {}).get('securityLevel')
Copy link
Contributor

@liyun-li liyun-li May 18, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is SECURE_ALWAYS?

Copy link
Contributor

@liyun-li liyun-li May 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@saez0pub ^

Copy link
Contributor

@liyun-li liyun-li Jun 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resolved: https://cloud.google.com/logging/docs/reference/audit/appengine/rest/Shared.Types/SecurityLevel

@liyun-li liyun-li merged commit acf7bda into nccgroup:develop Jun 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@liyun-li liyun-li liyun-li approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@liyun-li liyun-li

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@saez0pub @liyun-li @x4v13r64