admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-10 20:53:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e2e9901bf9ec94de03e5ed7490847aac0ccbc598
nuclei-templates/cloud/gcp/pubsub/gcloud-pubsub-crossproject-access.yaml
Prince Chaddha ea7a5969c8 Revert "chore: update TemplateMan 🤖" 
This reverts commit c31d574176.
2025-05-27 10:39:47 +08:00

73 lines
2.5 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
id: gcloud-pubsub-crossproject-access
info:
name: Pub/Sub Subscription Cross-Project Access
author: princechaddha
severity: high
description: |
Ensure that your Google Cloud Pub/Sub subscriptions are configured to allow access only to trusted GCP projects to protect against unauthorized cross-project access. The list with the trusted GCP projects must be defined in the conformity rule settings, in the Trend Cloud One™ Conformity account console.
impact: |
Allowing access to Pub/Sub subscriptions from untrusted GCP projects can lead to unauthorized data access, privilege escalation, and potential data exfiltration.
remediation: |
Restrict access to Pub/Sub subscriptions by configuring IAM policies to include only trusted service accounts or users. Ensure roles such as "roles/pubsub.subscriber", "roles/pubsub.editor", or "roles/pubsub.admin" are only assigned to trusted principals.
reference:
- https://cloud.google.com/pubsub/docs/access-control
- https://cloudone.trendmicro.com/docs/conformity
tags: cloud,devops,gcp,gcloud,google-cloud-pubsub,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let pubsubSubscription of iterate(template.subscriptions)){
set("subscriptionName", pubsubSubscription)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud pubsub subscriptions list --project $projectId --format="json(name)"
extractors:
- type: json
name: subscriptions
internal: true
json:
- '.[].name'
- engine:
- sh
- bash
source: |
gcloud pubsub subscriptions get-iam-policy $subscriptionName --format=json | jq '.bindings[]'
matchers:
- type: word
words:
- '@'
extractors:
- type: dsl
dsl:
- '"Pub/Sub subscription " + subscriptionName + " in project " + projectId + " has cross-project access configured with one or more untrusted members."'
# digest: 4a0a00473045022100cf5daef669d70a8709759d4df7a2cf30496f9f83e0c47c4c04ff56351037ef40022057077361e1e73dd4aed5ca8f9a26a61abb15729f1b6b7df3394b5df852cdf74e:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink