Merge pull request #29 from fn20200323/publicReportExposed

phifogg · web-flow · commit 9026ab1cdfda · 2021-11-03T09:49:44.000+01:00
Report roles verification for public ones
diff --git a/README.md b/README.md
@@ -140,6 +140,9 @@ Monitor users with role `admin` (not locked out) that are not logged for longer
 After deactivation of Groups there can be still some users.
 Group offer membership but also can provide some roles that after deactivation should be considered as no longer needed.
 
+### Report with public role can expose data to unauthenticated clients
+For table that store reports definition there is also posibility to assign roles. It is possible that by default it is added `public` role. It means that even not authorized clients can access such report and sometimes with exposed data that shouldn't be accessible.
+
 ### Scheduled Job with RunAs set as Locked Out user
 Detecting no longer active user with flag Locked Out set to true that is set as a RunAs for Scheduled Job
 
diff --git a/scan_script_only_check_1e7511642f2330100b40bea62799b6f1.xml b/scan_script_only_check_1e7511642f2330100b40bea62799b6f1.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<unload unload_date="2021-10-28 19:04:18">
+<scan_script_only_check action="INSERT_OR_UPDATE">
+<active>true</active>
+<attributes display_value="Public reports to be verified ">906611642f2330100b40bea62799b6b7</attributes>
+<category>security</category>
+<description>It is worthy to check all reports that are with role public - as they can expose data to unauthenticated users via:
+ https : / / &lt;instance&gt;.service-now.com/sys_report_display.do?sysparm_report_id=&lt;sysID&gt;</description>
+<documentation_url/>
+<name>Public reports to be verified </name>
+<priority>2</priority>
+<resolution_details/>
+<script><![CDATA[(function(finding) {
+
+    var grSysReport = new GlideRecord('sys_report');
+    grSysReport.addEncodedQuery("roles=public");
+    grSysReport.query();
+    while (grSysReport.next()) {
+        finding.setCurrentSource(grSysReport);
+        finding.increment();
+    }
+
+})(finding);]]></script>
+<short_description>Candidates of publicly available reports (without needs to authorize) that shoul</short_description>
+<sys_class_name>scan_script_only_check</sys_class_name>
+<sys_created_by>admin</sys_created_by>
+<sys_created_on>2021-10-28 18:46:02</sys_created_on>
+<sys_id>1e7511642f2330100b40bea62799b6f1</sys_id>
+<sys_mod_count>1</sys_mod_count>
+<sys_name>Public reports to be verified </sys_name>
+<sys_package display_value="Global" source="global">global</sys_package>
+<sys_policy/>
+<sys_scope display_value="Global">global</sys_scope>
+<sys_update_name>scan_script_only_check_1e7511642f2330100b40bea62799b6f1</sys_update_name>
+<sys_updated_by>admin</sys_updated_by>
+<sys_updated_on>2021-10-28 18:50:32</sys_updated_on>
+</scan_script_only_check>
+</unload>
