From 76a2ebbf2aa0ec98581da4cc56b9b88afd273c96 Mon Sep 17 00:00:00 2001
From: Rami McCarthy <ramimac@users.noreply.github.com>
Date: Tue, 26 Dec 2023 12:57:20 +0100
Subject: [PATCH] Closes #236: Open in Cloud Shell injection (#240)

* Closes #236: Open in Cloud Shell injection

* fix image

* Update gcp-cloudshell-open-in-command-injection.yaml

---------

Co-authored-by: Amitai Cohen <71866656+korniko98@users.noreply.github.com>
---
 ...-cloudshell-open-in-command-injection.yaml | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml

diff --git a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml
new file mode 100644
index 0000000..723ddb8
--- /dev/null
+++ b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml
@@ -0,0 +1,34 @@
+title: "Open In" Google Cloud Shell command injection
+slug: gcp-cloudshell-open-in-command-injection
+cves: null
+affectedPlatforms:
+- GCP
+affectedServices:
+- Google Cloud Shell
+image: https://images.unsplash.com/photo-1541427914209-ef891bee99fd?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3174&q=80
+severity: Medium
+discoveredBy:
+  name: Ademar Nowasky Junior
+  org: null
+  domain: null
+  twitter: nowaskyjr
+publishedAt: 2021/12/28
+disclosedAt: null
+exploitabilityPeriod: Until 2021/01/23
+knownITWExploitation: false
+summary: |
+  A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
+  The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters,
+  which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos,
+  "go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and
+  an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is
+  possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear,
+  as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing
+  could be used to try and coerce a user into running a command that exposed their credentials to the attacker.
+  Google mitigated this issue by preventing users from being able to provide both parameters at once.
+manualRemediation: |
+  None required
+detectionMethods: null
+contributor: https://github.com/ramimac
+references:
+- https://docs.google.com/document/d/1-TTCS6fS6kvFUkoJmX4Udr-czQ79lSUVXiWsiAED_bs