mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-04 19:57:01 -07:00
1e47b6547e
modules/recon/terraform-state-exposure.yaml flags an exposed terraform state file on the terraform_version key paired with a state structure key, then extracts the version. the structure key keeps a document that merely mentions terraform_version from matching. modules/recon/kubeconfig-exposure.yaml flags an exposed kubeconfig on the kind: Config marker paired with a cluster or credential key, then extracts the cluster api endpoint. it catches an exec auth kubeconfig with no embedded key since the cluster block alone is a leak. modules/recon/docker-compose-exposure.yaml flags an exposed compose file on the services key paired with a service definition key, then extracts the first image reference to surface the stack and its versions. each module pairs a unique marker with a structure key and rejects an html body, so a page that only names the marker is not a leak. internal/modules/infra_config_exposure_test.go drives the three modules end to end through ExecuteHTTPModule and asserts the leak alongside the near misses a strict review wants pinned: a bare terraform_version mention, a bare kind: Config mention, a bare services key, an html page carrying the markers, a plain 200 body and a 404, none of which may match. verify: go test ./internal/modules, each marker, structure gate, guard and extractor proven to bite (break -> red, restore -> green).
57 lines
1.1 KiB
YAML
57 lines
1.1 KiB
YAML
# Docker Compose Exposure Detection Module
|
|
|
|
id: docker-compose-exposure
|
|
info:
|
|
name: Docker Compose Exposure
|
|
author: sif
|
|
severity: medium
|
|
description: Detects an exposed docker compose file that leaks service topology and image versions
|
|
tags: [docker, compose, container, info-disclosure, exposure, recon]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: GET
|
|
paths:
|
|
- "{{BaseURL}}/docker-compose.yml"
|
|
- "{{BaseURL}}/docker-compose.yaml"
|
|
- "{{BaseURL}}/docker-compose.prod.yml"
|
|
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "services:"
|
|
|
|
- type: word
|
|
part: body
|
|
condition: or
|
|
words:
|
|
- "image:"
|
|
- "container_name:"
|
|
- "build:"
|
|
|
|
- type: word
|
|
part: body
|
|
negative: true
|
|
condition: or
|
|
words:
|
|
- "<!DOCTYPE"
|
|
- "<!doctype"
|
|
- "<html"
|
|
- "<HTML"
|
|
- "<head>"
|
|
- "<title>"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: compose_image
|
|
part: body
|
|
regex:
|
|
- 'image:\s*["'']?([^\s"'']+)'
|
|
group: 1
|