Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🎉 v2.0.0 Huge Rewrite #112

Merged
merged 135 commits into from
Apr 23, 2021
Merged

🎉 v2.0.0 Huge Rewrite #112

merged 135 commits into from
Apr 23, 2021

Conversation

sa7mon
Copy link
Owner

@sa7mon sa7mon commented Apr 22, 2021
edited
Loading

This is almost a complete re-write of the tool and thus deserves a major version bump.

Changes

  • Check for each combination of open permissions on buckets
  • Check for "dangerous" permissions: Write, WriteACP
  • Simplified the output not have different formats for file and console output. Everything is now just output to stdout in a uniform way to allow easy parsing with grep/awk/etc
  • Supported added for non-AWS S3-compatible APIs. This was done in a generic way to avoid having to include API-specific code in the tool and update it when the APIs inevitably change/break
  • Packaged and uploaded a Pip package for easier distribution
  • Built and pushed a Docker image to Docker Hub: https://hub.docker.com/r/hothamandcheese/s3scanner
  • Increased overall test coverage to ~90%
  • Added support for multi-threaded scanning and dumping
  • Added support for "resume-able" dumping. If an object has already been downloaded, it will be skipped unless the sizes differ
  • Supports Windows/MacOS/Linux with Python 3.6+

Known Issues / Future Work

  • Currently, non-AWS endpoints are only scanned for anonymous permissions. Testing is needed to see if credential scans work and if the permissions match AWS structure.
  • When dumping a bucket, the tool will check to see if each file has already been downloaded. If it has, the file will be skipped unless the size of the local and remote files don't match. In the future, the user should be given a choice to re-download these files.
  • Measure user desire for other output formats (i.e. csv/json/sqlite)

Closes #16
Closes #41
Closes #53
Closes #62
Closes #66
Closes #67
Closes #70
Closes #73
Closes #82
Closes #100

Dan Salmon and others added 30 commits September 30, 2019 01:43
new file
6659069
Maybe temporary main file
7a391db
Move bucket file for now and get bucket creation working
704de2e
Greatly speed up credential checking
1c8440d
Fix tab issue and bucket name checking
5b0c781
Stub out next method calls
6e370b9
Update gitignore to ignore all virtualenv's
6de1686
Fix bug and create service class
25d60a2
Fix invalid code
c33ba26
Create new service and start adding bucket methods
08f226f
check_bucket_exists sets the 'exists' value of the bucket passed
42ab306
Add AWS creds check
55ea605
Get ListBucket permission checking working
ad2b928
Start getting bucket object enumeration working
70d8790
Get object enumeration working and tested
8179990
Implement getHumanReadableSize()
dbebc19
Get read_acl permission checking working
17e5960
Force a bucket existance check before checking for permissions
ceda4e2
Handle no aws creds
a5e1463
Start commenting out refactored code and get scanner working
24255e9
@sa7mon
Make decision on bucket permission slots and get ReadACL check working
abcdd2d
@sa7mon
Update list_bucket method to use new permission and fix tests
136d55e
@sa7mon
Disable old tests for now and close #86
231dfc4
@sa7mon
Add check for bucket that allows AllUsers to read ACL. Closes #88
36066da
@sa7mon
Create script to spin up a dangerous bucket temporarily
4810b13
@sa7mon
Set timeout to 1 hour
1d9c715
@sa7mon
Move to a Python file instead so we can use environment variables
24cd1b8
Add check for write permission
a1bc950
Add write check test -- needs work
685c13b
@sa7mon
Merge branch 'enhancements' of github.com:sa7mon/S3Scanner into enhan…
4ae188c 
…cements
sa7mon and others added 29 commits April 18, 2021 18:05
@sa7mon
Support endpoints either path or vhost style
a5d615a
@sa7mon
Test endpoints and add custom exception
0dd63ee
Always scan non-aws buckets anonymously
e3c8b0c
Move tests to folder
35c6cba
Remove windows python3.9 job as choco doesn't install pip
ec9b62a
@sa7mon
Cleanup service
c6ef00f
@sa7mon
Add service tests
68e0a73
Update docstrings
bc28bd5
Update docstrings
2ab68df
Update docstrings and add if-main check
e75c7c2
Refactor s3Bucket class to S3Bucket
27efeba
Refactor object methods
2dfc7de
Refactor class name
46fd567
Refactor method
980987d
Refactor constants
a805591
Only scan bucket permissions with creds if endpoint is AWS
23a1e30
Create new readme
8f08e35
Lint
6781c32
Move classes into package and fix imports
9d953f2
Package for pip
efce7d6
Cleanup
a43177f
Lint
c7fb4b1
Fix scan issue
a3bc5e3
Update readme
3e74746
Use python3.8 in Docker
99076c2
Update Dockerfile and readme
e97db9a
Check for WriteACP permission
e8d75d0
Update readme
302ec41
Resolve merge conflicts
8580d8d
@sa7mon sa7mon merged commit fb39258 into master Apr 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@sa7mon