Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(detect-secrets): Include missing colon to link values #1078

Merged
merged 1 commit into from
Mar 22, 2022
Merged

fix(detect-secrets): Include missing colon to link values #1078

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 24 additions & 22 deletions checks/check_extra742
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,42 +27,44 @@ extra742(){
SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM"
if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then
# this folder is deleted once this check is finished
mkdir $SECRETS_TEMP_FOLDER
mkdir "${SECRETS_TEMP_FOLDER}"
fi

for regx in $REGIONS; do
CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --output json 2>&1)
if [[ $(echo "$CFN_STACKS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then
CFN_STACKS=$("${AWSCLI}" cloudformation describe-stacks $PROFILE_OPT --region "${regx}" --output json 2>&1)
if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "$CFN_STACKS" ; then
textInfo "$regx: Access Denied trying to describe stacks" "$regx"
continue
fi
LIST_OF_CFN_STACKS=$(echo $CFN_STACKS | jq -r '.Stacks[].StackName')
fi
LIST_OF_CFN_STACKS=$(jq -r '.Stacks[].StackName' <<< "${CFN_STACKS}")
if [[ $LIST_OF_CFN_STACKS ]];then
for stack in $LIST_OF_CFN_STACKS; do
CFN_OUTPUTS_FILE="$SECRETS_TEMP_FOLDER/extra742-$stack-$regx-outputs.txt"
echo $CFN_STACKS | jq --arg s "$stack" -r '.Stacks[] | select( .StackName == $s ) | .Outputs[]? | "\(.OutputKey) \(.OutputValue)"' > $CFN_OUTPUTS_FILE

if [ -s $CFN_OUTPUTS_FILE ];then
# This finds ftp or http URLs with credentials and common keywords
# FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $CFN_OUTPUTS_FILE |wc -l|tr -d '\ ')
# New implementation using https://github.com/Yelp/detect-secrets
FINDINGS=$(secretsDetector file $CFN_OUTPUTS_FILE)
for stackName in $LIST_OF_CFN_STACKS; do
CFN_OUTPUTS_FILE="$SECRETS_TEMP_FOLDER/extra742-${stackName}-${regx}-outputs.txt"
# OutputKey and OutputValue are separated by a colon because secrets-detector needs a way to link both values
jq --arg stackName "$stackName" -r '.Stacks[] | select( .StackName == $stackName ) | .Outputs[]? | "\(.OutputKey):\(.OutputValue)"' <<< "${CFN_STACKS}" > "${CFN_OUTPUTS_FILE}"
if [ -s "${CFN_OUTPUTS_FILE}" ];then
FINDINGS=$(secretsDetector file "${CFN_OUTPUTS_FILE}")
if [[ $FINDINGS -eq 0 ]]; then
textPass "$regx: No secrets found in stack $stack Outputs" "$regx" "$stack"
# delete file if nothing interesting is there
rm -f $CFN_OUTPUTS_FILE
textPass "$regx: No secrets found in stack ${stackName} Outputs" "$regx" "${stackName}"
# Delete file if nothing interesting is there
rm -f "${CFN_OUTPUTS_FILE}"
else
textFail "$regx: Potential secret found in stack $stack Outputs" "$regx" "$stack"
# delete file to not leave trace, user must look at the CFN Stack
rm -f $CFN_OUTPUTS_FILE
textFail "$regx: Potential secret found in stack ${stackName} Outputs" "$regx" "${stackName}"
# Delete file to not leave trace, user must look at the CFN Stack
rm -f "${CFN_OUTPUTS_FILE}"
fi
else
textInfo "$regx: CloudFormation stack $stack has no Outputs" "$regx"
textInfo "$regx: CloudFormation stack ${stackName} has no Outputs" "$regx"
fi
done
else
textInfo "$regx: No CloudFormation stacks found" "$regx"
fi
done
rm -rf $SECRETS_TEMP_FOLDER

# Cleanup temporary folder
if [[ -d $SECRETS_TEMP_FOLDER ]]
then
rm -rf "${SECRETS_TEMP_FOLDER}"
fi
}