From 565200529f3280cdc3e328eac32c80a47b351b81 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 22 Mar 2022 13:53:36 +0100 Subject: [PATCH] fix(detect-secrets): Include missing colon to link values (#1078) --- checks/check_extra742 | 46 ++++++++++++++++++++++--------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/checks/check_extra742 b/checks/check_extra742 index edeaaa9c508..a60ce39d2d9 100644 --- a/checks/check_extra742 +++ b/checks/check_extra742 @@ -27,42 +27,44 @@ extra742(){ SECRETS_TEMP_FOLDER="$PROWLER_DIR/secrets-$ACCOUNT_NUM" if [[ ! -d $SECRETS_TEMP_FOLDER ]]; then # this folder is deleted once this check is finished - mkdir $SECRETS_TEMP_FOLDER + mkdir "${SECRETS_TEMP_FOLDER}" fi for regx in $REGIONS; do - CFN_STACKS=$($AWSCLI cloudformation describe-stacks $PROFILE_OPT --region $regx --output json 2>&1) - if [[ $(echo "$CFN_STACKS" | grep -E 'AccessDenied|UnauthorizedOperation|AuthorizationError') ]]; then + CFN_STACKS=$("${AWSCLI}" cloudformation describe-stacks $PROFILE_OPT --region "${regx}" --output json 2>&1) + if grep -q -E 'AccessDenied|UnauthorizedOperation|AuthorizationError' <<< "$CFN_STACKS" ; then textInfo "$regx: Access Denied trying to describe stacks" "$regx" continue - fi - LIST_OF_CFN_STACKS=$(echo $CFN_STACKS | jq -r '.Stacks[].StackName') + fi + LIST_OF_CFN_STACKS=$(jq -r '.Stacks[].StackName' <<< "${CFN_STACKS}") if [[ $LIST_OF_CFN_STACKS ]];then - for stack in $LIST_OF_CFN_STACKS; do - CFN_OUTPUTS_FILE="$SECRETS_TEMP_FOLDER/extra742-$stack-$regx-outputs.txt" - echo $CFN_STACKS | jq --arg s "$stack" -r '.Stacks[] | select( .StackName == $s ) | .Outputs[]? | "\(.OutputKey) \(.OutputValue)"' > $CFN_OUTPUTS_FILE - - if [ -s $CFN_OUTPUTS_FILE ];then - # This finds ftp or http URLs with credentials and common keywords - # FINDINGS=$(egrep -i '[[:alpha:]]*://[[:alnum:]]*:[[:alnum:]]*@.*/|key|secret|token|pass' $CFN_OUTPUTS_FILE |wc -l|tr -d '\ ') - # New implementation using https://github.com/Yelp/detect-secrets - FINDINGS=$(secretsDetector file $CFN_OUTPUTS_FILE) + for stackName in $LIST_OF_CFN_STACKS; do + CFN_OUTPUTS_FILE="$SECRETS_TEMP_FOLDER/extra742-${stackName}-${regx}-outputs.txt" + # OutputKey and OutputValue are separated by a colon because secrets-detector needs a way to link both values + jq --arg stackName "$stackName" -r '.Stacks[] | select( .StackName == $stackName ) | .Outputs[]? | "\(.OutputKey):\(.OutputValue)"' <<< "${CFN_STACKS}" > "${CFN_OUTPUTS_FILE}" + if [ -s "${CFN_OUTPUTS_FILE}" ];then + FINDINGS=$(secretsDetector file "${CFN_OUTPUTS_FILE}") if [[ $FINDINGS -eq 0 ]]; then - textPass "$regx: No secrets found in stack $stack Outputs" "$regx" "$stack" - # delete file if nothing interesting is there - rm -f $CFN_OUTPUTS_FILE + textPass "$regx: No secrets found in stack ${stackName} Outputs" "$regx" "${stackName}" + # Delete file if nothing interesting is there + rm -f "${CFN_OUTPUTS_FILE}" else - textFail "$regx: Potential secret found in stack $stack Outputs" "$regx" "$stack" - # delete file to not leave trace, user must look at the CFN Stack - rm -f $CFN_OUTPUTS_FILE + textFail "$regx: Potential secret found in stack ${stackName} Outputs" "$regx" "${stackName}" + # Delete file to not leave trace, user must look at the CFN Stack + rm -f "${CFN_OUTPUTS_FILE}" fi else - textInfo "$regx: CloudFormation stack $stack has no Outputs" "$regx" + textInfo "$regx: CloudFormation stack ${stackName} has no Outputs" "$regx" fi done else textInfo "$regx: No CloudFormation stacks found" "$regx" fi done - rm -rf $SECRETS_TEMP_FOLDER + + # Cleanup temporary folder + if [[ -d $SECRETS_TEMP_FOLDER ]] + then + rm -rf "${SECRETS_TEMP_FOLDER}" + fi }