admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-07 19:23:18 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba03e54063a94de8155adf476dc07e5b39bca341
nuclei-templates/cloud/gcp/bigquery/gcloud-bigquery-public-datasets.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

75 lines
2.6 KiB
YAML
Raw Blame History

id: gcloud-bigquery-public-datasets
info:
name: Publicly Accessible BigQuery Datasets
author: princechaddha
severity: high
description: |
Ensure there are no anonymously and/or publicly accessible BigQuery datasets available within your Google Cloud Platform (GCP) account. Google Cloud BigQuery datasets have Identity and Access Management (IAM) policies configured to determine who can have access to these resources. To refuse access from anonymous and public users, remove the bindings for "allUsers" and "allAuthenticatedUsers" members from the IAM policy associated with your datasets.
impact: |
Publicly accessible BigQuery datasets can lead to unauthorized data access or data leaks. Ensuring that access is restricted helps maintain the integrity and confidentiality of your data.
remediation: |
Update the IAM policies for each BigQuery dataset to remove "allUsers" and "allAuthenticatedUsers". This action will ensure that datasets are not exposed to any user on the internet or authenticated users not explicitly granted permission.
reference:
- https://cloud.google.com/bigquery/docs/managing-dataset-access
tags: cloud,devops,gcp,gcloud,bigquery,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let datasetId of iterate(template.datasetIds)){
set("datasetId", datasetId)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
bq ls --project_id $projectId --format=json
extractors:
- type: json
name: datasetIds
internal: true
json:
- '.[].datasetId'
- engine:
- sh
- bash
source: |
bq show --format=prettyjson $projectId:$datasetId | jq '.access[] | select(.role != null and (.specialGroup == "allUsers" or .specialGroup == "allAuthenticatedUsers")) | .role'
matchers:
- type: word
words:
- 'roles/bigquery.dataViewer'
- 'roles/bigquery.dataEditor'
- 'roles/bigquery.dataOwner'
condition: or
extractors:
- type: dsl
dsl:
- '"Publicly Accessible BigQuery Dataset: " + datasetId + " in Project: " + projectId'
# digest: 490a004630440220244f74cd6bc6aa70ae3f127aab2e43cee539141d4eaf7c460ba11126ce1d46ed02202d883b802f8d9610b05efe7ff9d09e24acde57969de692f527722f4cf7f7de53:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink