Bugfix - Aws metadata api discovery (#455)

* fixed aws metadata bug * added new black reformatting
aquasecurity · May 27, 2021 · 0b90e0e · 0b90e0e
1 parent 65eefed
commit 0b90e0e
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 19 deletions.
diff --git a/kube_hunter/core/events/types.py b/kube_hunter/core/events/types.py
@@ -205,7 +205,7 @@ class ReportDispatched(Event):
 
 
 class K8sVersionDisclosure(Vulnerability, Event):
-    """The kubernetes version could be obtained from the {} endpoint """
+    """The kubernetes version could be obtained from the {} endpoint"""
 
     def __init__(self, version, from_endpoint, extra_info=""):
         Vulnerability.__init__(

diff --git a/kube_hunter/modules/discovery/hosts.py b/kube_hunter/modules/discovery/hosts.py
@@ -200,7 +200,7 @@ def is_azure_pod(self):
 
     # for pod scanning
     def gateway_discovery(self):
-        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
+        """Retrieving default gateway of pod, which is usually also a contact point with the host"""
         return [[gateways()["default"][AF_INET][0], "24"]]
 
     # querying AWS's interface metadata api v1 | works only from a pod
@@ -223,7 +223,7 @@ def aws_metadata_v1_discovery(self):
 
         self.publish_event(AWSMetadataApi(cidr=cidr))
 
-        return cidr, "AWS"
+        return [(address, subnet)], "AWS"
 
     # querying AWS's interface metadata api v2 | works only from a pod
     def aws_metadata_v2_discovery(self):
@@ -252,7 +252,7 @@ def aws_metadata_v2_discovery(self):
 
         self.publish_event(AWSMetadataApi(cidr=cidr))
 
-        return cidr, "AWS"
+        return [(address, subnet)], "AWS"
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

diff --git a/kube_hunter/modules/hunting/apiserver.py b/kube_hunter/modules/hunting/apiserver.py
@@ -75,28 +75,28 @@ def __init__(self, evidence, using_token, name):
 
 
 class ListPodsAndNamespaces(ApiInfoDisclosure):
-    """ Accessing pods might give an attacker valuable information"""
+    """Accessing pods might give an attacker valuable information"""
 
     def __init__(self, evidence, using_token):
         ApiInfoDisclosure.__init__(self, evidence, using_token, "Listing pods")
 
 
 class ListNamespaces(ApiInfoDisclosure):
-    """ Accessing namespaces might give an attacker valuable information """
+    """Accessing namespaces might give an attacker valuable information"""
 
     def __init__(self, evidence, using_token):
         ApiInfoDisclosure.__init__(self, evidence, using_token, "Listing namespaces")
 
 
 class ListRoles(ApiInfoDisclosure):
-    """ Accessing roles might give an attacker valuable information """
+    """Accessing roles might give an attacker valuable information"""
 
     def __init__(self, evidence, using_token):
         ApiInfoDisclosure.__init__(self, evidence, using_token, "Listing roles")
 
 
 class ListClusterRoles(ApiInfoDisclosure):
-    """ Accessing cluster roles might give an attacker valuable information """
+    """Accessing cluster roles might give an attacker valuable information"""
 
     def __init__(self, evidence, using_token):
         ApiInfoDisclosure.__init__(self, evidence, using_token, "Listing cluster roles")
@@ -118,7 +118,7 @@ def __init__(self, evidence):
 
 class DeleteANamespace(Vulnerability, Event):
 
-    """ Deleting a namespace might give an attacker the option to affect application behavior """
+    """Deleting a namespace might give an attacker the option to affect application behavior"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -186,7 +186,7 @@ def __init__(self, evidence):
 
 
 class DeleteARole(Vulnerability, Event):
-    """ Deleting a role might allow an attacker to affect access to resources in the namespace"""
+    """Deleting a role might allow an attacker to affect access to resources in the namespace"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -199,7 +199,7 @@ def __init__(self, evidence):
 
 
 class DeleteAClusterRole(Vulnerability, Event):
-    """ Deleting a cluster role might allow an attacker to affect access to resources in the cluster"""
+    """Deleting a cluster role might allow an attacker to affect access to resources in the cluster"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -212,7 +212,7 @@ def __init__(self, evidence):
 
 
 class CreateAPod(Vulnerability, Event):
-    """ Creating a new pod allows an attacker to run custom code"""
+    """Creating a new pod allows an attacker to run custom code"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -225,7 +225,7 @@ def __init__(self, evidence):
 
 
 class CreateAPrivilegedPod(Vulnerability, Event):
-    """ Creating a new PRIVILEGED pod would gain an attacker FULL CONTROL over the cluster"""
+    """Creating a new PRIVILEGED pod would gain an attacker FULL CONTROL over the cluster"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -238,7 +238,7 @@ def __init__(self, evidence):
 
 
 class PatchAPod(Vulnerability, Event):
-    """ Patching a pod allows an attacker to compromise and control it """
+    """Patching a pod allows an attacker to compromise and control it"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -251,7 +251,7 @@ def __init__(self, evidence):
 
 
 class DeleteAPod(Vulnerability, Event):
-    """ Deleting a pod allows an attacker to disturb applications on the cluster """
+    """Deleting a pod allows an attacker to disturb applications on the cluster"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(

diff --git a/kube_hunter/modules/hunting/arp.py b/kube_hunter/modules/hunting/arp.py
@@ -41,7 +41,7 @@ def try_getting_mac(self, ip):
         return ans[ARP].hwsrc if ans else None
 
     def detect_l3_on_host(self, arp_responses):
-        """ returns True for an existence of an L3 network plugin """
+        """returns True for an existence of an L3 network plugin"""
         logger.debug("Attempting to detect L3 network plugin using ARP")
         unique_macs = list({response[ARP].hwsrc for _, response in arp_responses})
 

diff --git a/kube_hunter/modules/hunting/kubelet.py b/kube_hunter/modules/hunting/kubelet.py
@@ -303,7 +303,7 @@ class SecureKubeletPortHunter(Hunter):
     """
 
     class DebugHandlers:
-        """ all methods will return the handler name if successful """
+        """all methods will return the handler name if successful"""
 
         def __init__(self, path, pod, session=None):
             self.path = path + ("/" if not path.endswith("/") else "")

diff --git a/kube_hunter/modules/hunting/secrets.py b/kube_hunter/modules/hunting/secrets.py
@@ -10,7 +10,7 @@
 
 
 class ServiceAccountTokenAccess(Vulnerability, Event):
-    """ Accessing the pod service account token gives an attacker the option to use the server API """
+    """Accessing the pod service account token gives an attacker the option to use the server API"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(
@@ -24,7 +24,7 @@ def __init__(self, evidence):
 
 
 class SecretsAccess(Vulnerability, Event):
-    """ Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker"""
+    """Accessing the pod's secrets within a compromised pod might disclose valuable data to a potential attacker"""
 
     def __init__(self, evidence):
         Vulnerability.__init__(