Storage Container Is Publicly Accessible

  • Query id: 4d3817db-dd35-4de4-a80d-3867157e7f7f
  • Query name: Storage Container Is Publicly Accessible
  • Platform: Ansible
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Anonymous, public read access to a container and its blobs are enabled in Azure Blob Storage
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: Create container foo and upload a file
  azure_rm_storageblob:
    resource_group: myResourceGroup
    storage_account_name: clh0002
    container: foo
    blob: graylog.png
    src: ./files/graylog.png
    content_type: 'application/image'
    public_access: blob
- name: Create container foo2 and upload a file
  azure_rm_storageblob:
    resource_group: myResourceGroup
    storage_account_name: clh0002
    container: foo2
    blob: graylog.png
    src: ./files/graylog.png
    public_access: container
    content_type: 'application/image'

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: Create container foo and upload a file
  azure_rm_storageblob:
    resource_group: myResourceGroup
    storage_account_name: clh0002
    container: foo
    blob: graylog.png
    src: ./files/graylog.png
    content_type: application/image
# access mode defaults to private