gcloud-org-sql-public-ip: Public IP Access for Cloud SQL Instances Not Restricted

日期: 2025-08-01 | 影响软件: gcloud org sql public ip | POC: 已公开

漏洞描述

Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can't allow GCP members to configure security-critical database instances with public IPs. For highly sensitive workloads, the access to the SQL database instances can be made only through private IP addresses or Google Cloud SQL Proxy.

PoC代码[已公开]

id: gcloud-org-sql-public-ip

info:
  name: Public IP Access for Cloud SQL Instances Not Restricted
  author: princechaddha
  severity: medium
  description: |
    Ensure that "Restrict Public IP access on Cloud SQL instances" policy is enforced for your Google Cloud organizations. Due to strict security and compliance regulations, you can't allow GCP members to configure security-critical database instances with public IPs. For highly sensitive workloads, the access to the SQL database instances can be made only through private IP addresses or Google Cloud SQL Proxy.
  impact: |
    Without restricting public IP access, Cloud SQL instances can be configured with public IP addresses, potentially exposing sensitive databases to unauthorized access from the internet.
  remediation: |
    Enable the "Restrict Public IP access on Cloud SQL instances" policy at the organization level using the 'gcloud alpha resource-manager org-policies enable-enforce' command with the sql.restrictPublicIp constraint.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ResourceManager/restrict-public-ip-access-at-organization-level.html
    - https://cloud.google.com/sql/docs/mysql/configure-ip
  tags: cloud,devops,gcp,gcloud,resourcemanager,security,sql,networking,gcp-cloud-config

flow: |
  code(1)
  for(let orgId of iterate(template.orgIds)){
    set("orgId", orgId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud organizations list --format="json(name)"

    extractors:
      - type: json
        name: orgIds
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud alpha resource-manager org-policies describe sql.restrictPublicIp --organization=$orgId --effective --format="json(booleanPolicy)"

    matchers:
      - type: word
        words:
          - "{}"

    extractors:
      - type: dsl
        dsl:
          - '"Organization " + orgId + " has not restricted public IP access for Cloud SQL instances, allowing databases to be exposed to the internet"'
# digest: 4a0a00473045022100e31b9dc72c70e436527c709a13375971850e241a9e7fd28f42d639c75e0e122c02206969dd47000b1b8a3aaeb844818ebec000e013aa7ef98b5aa42bc8df94c24b72:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/resourcemanager/gcloud-org-sql-public-ip.yaml