New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manual merge/develop 226 #316
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rip my commit :'(
Codecov Report
@@ Coverage Diff @@
## develop #316 +/- ##
===========================================
- Coverage 34.61% 34.29% -0.32%
===========================================
Files 176 179 +3
Lines 5764 5974 +210
===========================================
+ Hits 1995 2049 +54
- Misses 3769 3925 +156
Continue to review full report at Codecov.
|
Codecov Report
@@ Coverage Diff @@
## develop #316 +/- ##
===========================================
- Coverage 34.61% 34.29% -0.32%
===========================================
Files 176 179 +3
Lines 5764 5974 +210
===========================================
+ Hits 1995 2049 +54
- Misses 3769 3925 +156
Continue to review full report at Codecov.
|
...e/output/data/html/partials/aws/services.ec2.regions.vpcs.security_groups.resource_list.html
Outdated
Show resolved
Hide resolved
|
||
/** | ||
* Acts like getResourcePageSqlite but when we're using regions, made a separate function since the order of | ||
* the variables are different and it was getting confusing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand why we need a separate method for services with regions. It seems like this won't scale well with other providers. For example, GCP has projects, which I assume is currently not supported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made separate functions to limit the amount of if/elsr clauses. But yeah, more needs to be done for sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant why do we need specific pieces of code for both cases. The comment is a bit unclear, what variables are different? And how are the projects handled?
@@ -25,7 +25,7 @@ class BaseProvider(object): | |||
""" | |||
|
|||
def __init__(self, report_dir=None, timestamp=None, services=None, skipped_services=None, thread_config=4, | |||
**kwargs): | |||
result_format='json', **kwargs): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does the provider need to know about the result format?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's @vifor2 works.
That might have to do with the report generation, so it ends up written somewhere in the javascript or HTML that the report is supposed to be hooked to a server. I see it stored in the provider object at least in Azure, though I don't know if it's used anywhere, and in the base provider it is not used anywhere. Might just be leftovers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah depeding on the type of report, I attach or not certain elements to the report, e.g. the script sqlite.js is not attached if creating a json report. This also helps me determine which functions to run in scoutsuite.js
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does the provider have to do with this though? :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job guys! It seems like there could be some improvement in the cleanness department, but it's a great proof of concept 🥇
EDIT:
I checked out the branch in order to test. Is the JSON format supposed to work on chrome? I'm getting a cors error.
jquery-3.3.1.min.js:2 Access to XMLHttpRequest at 'file:///C:/ScoutSuite/scoutsuite-report/scoutsuite-results/scoutsuite_results-aws.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
EDITEDIT:
The CORS problem can be fixed by starting chrome with the --allow-file-access-from-files
flag.
I'm getting this error log when scanning.
2019-04-09 10:47:24 SURFACE-ANTOINE scout[6792] INFO Applying exceptions
2019-04-09 10:47:24 SURFACE-ANTOINE scout[6792] ERROR scout.py L186: Failed to load exceptions: 'NoneType' object has no attribute 'replace'
Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
…vpcs.security_groups.resource_list.html Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
Co-Authored-By: vifor2 <fortin.vincent@hotmail.com>
This is on develop too, and happens when there are exceptions(to enter the if execptions:) and the profile is None, so on both GCP and Azure. |
Should be fixed in #327. |
Fix minor bugs introduced in #316
Feature functional although it could use some improvements (hence the EXPERIMENTAL disclaimer when using
--help
), but since there is less than 1 week before the end of the project @zer0x64 and me would like to get this merged ASAP! Also to cease the merge conflicts (pl0x).This PR but less chaotic.
Implements this issue.
Scroll down for TL;DR
Changes done within this PR :
--result-format
with eitherjson
orsqlite
as args.scoutsuite-results/scoutsuite_results.js
andscoutsuite-results/scoutsuite_exceptions.js
are no longer inreport.html
by default, they are instead in a partial that is added if the user chosejson
in the previous point.scoutsuite.js
now checks whether an element with the idjson_format
orsqlite_format
exists to know which functions to call..db
file instead of a.js
file, these files being more compact as well as readable by a server..db
file to our client through CherryPy..js
files to follow standardJS, there are still some changes to do.Known issues :
jquery-3.3.1.min.js:2 Access to XMLHttpRequest at 'file:///home/vifor2/Documents/ScoutSuite/scoutsuite-report/inc-scoutsuite/sqlite.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https.
XML Parsing Error: syntax error Location: file:///home/vifor2/Documents/ScoutSuite/scoutsuite-report/inc-scoutsuite/sqlite.js Line Number 1, Column 1:
TL;DR
Example with Azure
While in /ScoutSuite open two terminals, in the first one type in
azure --cli --serve
and in the second one your usual command followed by--result-format sqlite
, you can then view the report has usually excepted for the fact that you'll have buttons to load in/out new pages.Example with GCP
Same as concept as Azure but replace the first command with
gcp --user-account --serve
Example with AWS
Same concept as previous ones but replace the first command with
aws --serve
Or you can only use one terminal,
--no-browser
and the 2 commands in the right order...