Giter VIP home page Giter VIP logo

aws-profile-sync's Introduction

aws-profile-sync ☁️🧻🚰

GitHub Build Status Coverage Status Total alerts Language grade: Python Known Vulnerabilities

aws-profile-sync is a command line utility that simplifies the synchronization of AWS credential profiles across groups of users.

Requirements

  • Python versions 3.6 and above. Note that Python 2 is not supported.
  • Git version 2.23 and above if using the Git handler.

Installation

From source:

git clone https://github.com/cisagov/aws-profile-sync.git
cd aws-profile-sync
pip install -r requirements.txt

Usage

The utility reads a credentials file looking for magic #!aws-profile-sync comments. It will then fetch the remote content and intelligently integrate it into a new credentials file.

[cool-user]
aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

#!profile-sync ssh://[email protected]/aceofspades/aws-profiles.git branch=master filename=roles -- source_profile=cool-user role_session_name=lemmy-is-god mfa_serial=arn:aws:iam::123456789012:mfa/ian.kilmister

# This line will get replaced

#!profile-sync-stop

# These lines won't be modified by the utility.
# That was a great time, the summer of '71 - I can't remember it, but I'll never forget it!.

The utility will replace all the content between the #!aws-profile-sync and #!aws-profile-sync-stop lines in the above example. To do this it will:

  • Clone the repository that lives at [email protected]/aceofspades/aws-profiles.git.
  • Switch to the master branch.
  • Read the file roles.
  • Override and replace any values specified after the -- in the magic line.

A copy of your previous credentials file is stored next to it as credentials.backup.

For detailed usage instructions see: aws-profile-sync --help

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

aws-profile-sync's People

Contributors

mcdonnnj avatar felddy avatar jsf9k avatar dav3r avatar hillaryj avatar snowdensb avatar mend-for-github-com[bot] avatar

aws-profile-sync's Issues

CVE-2022-40897 (Medium) detected in setuptools-57.4.0-py3-none-any.whl

CVE-2022-40897 - Medium Severity Vulnerability

Vulnerable Library - setuptools-57.4.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Dependency Hierarchy:

  • setuptools-57.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page.

Publish Date: 2022-12-23

URL: CVE-2022-40897

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Release Date: 2022-12-23

Fix Resolution: setuptools - 65.5.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-40898 (Medium) detected in wheel-0.37.0-py2.py3-none-any.whl

CVE-2022-40898 - Medium Severity Vulnerability

Vulnerable Library - wheel-0.37.0-py2.py3-none-any.whl

A built-package format for Python

Library home page: https://files.pythonhosted.org/packages/04/80/cad93b40262f5d09f6de82adbee452fd43cdff60830b56a74c5930f7e277/wheel-0.37.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Dependency Hierarchy:

  • wheel-0.37.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

Publish Date: 2022-12-23

URL: CVE-2022-40898

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-23

Fix Resolution: wheel 0.38.0

⛑️ Automatic Remediation is available for this issue

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Other Branches

These updates are pending. To force PRs open, click the checkbox below.

  • Update actions/cache action to v4
  • Update actions/checkout action to v4
  • Update actions/setup-go action to v5
  • Update actions/setup-python action to v5
  • Update actions/upload-artifact action to v4
  • Update github/codeql-action action to v3

Detected dependencies

github-actions
.github/workflows/build.yml
  • actions/checkout v2
  • actions/setup-python v2
  • actions/setup-go v2
  • actions/cache v2
  • mxschmitt/action-tmate v3
  • actions/checkout v2
  • actions/setup-python v2
  • actions/cache v2
  • mxschmitt/action-tmate v3
  • actions/checkout v2
  • actions/setup-python v2
  • actions/cache v2
  • mxschmitt/action-tmate v3
  • actions/checkout v2
  • actions/setup-python v2
  • actions/cache v2
  • actions/upload-artifact v2
  • mxschmitt/action-tmate v3
.github/workflows/codeql-analysis.yml
  • actions/checkout v2
  • github/codeql-action v1
  • github/codeql-action v1
  • github/codeql-action v1
pip_requirements
requirements-dev.txt
requirements.txt
pip_setup
setup.py
  • setuptools >= 24.2.0
  • coveralls != 1.11.0

wheel-0.37.0-py2.py3-none-any.whl: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - wheel-0.37.0-py2.py3-none-any.whl

A built-package format for Python

Library home page: https://files.pythonhosted.org/packages/04/80/cad93b40262f5d09f6de82adbee452fd43cdff60830b56a74c5930f7e277/wheel-0.37.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (wheel version) Remediation Possible**
CVE-2022-40898 High 7.5 wheel-0.37.0-py2.py3-none-any.whl Direct 0.38.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-40898

Vulnerable Library - wheel-0.37.0-py2.py3-none-any.whl

A built-package format for Python

Library home page: https://files.pythonhosted.org/packages/04/80/cad93b40262f5d09f6de82adbee452fd43cdff60830b56a74c5930f7e277/wheel-0.37.0-py2.py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Dependency Hierarchy:

  • wheel-0.37.0-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

Publish Date: 2022-12-23

URL: CVE-2022-40898

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-23

Fix Resolution: 0.38.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

setuptools-57.4.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - setuptools-57.4.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (setuptools version) Remediation Possible**
CVE-2024-6345 High 8.8 setuptools-57.4.0-py3-none-any.whl Direct 70.0.0
CVE-2022-40897 Medium 5.9 setuptools-57.4.0-py3-none-any.whl Direct 65.5.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-6345

Vulnerable Library - setuptools-57.4.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Dependency Hierarchy:

  • setuptools-57.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Publish Date: 2024-07-15

URL: CVE-2024-6345

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-6345

Release Date: 2024-07-15

Fix Resolution: 70.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-40897

Vulnerable Library - setuptools-57.4.0-py3-none-any.whl

Easily download, build, install, upgrade, and uninstall Python packages

Library home page: https://files.pythonhosted.org/packages/bd/25/5bdf7f1adeebd4e3fa76b2e2f045ae53ee208e40a4231ad0f0c3007e4353/setuptools-57.4.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/aws-profile-sync

Path to vulnerable library: /tmp/ws-scm/aws-profile-sync

Dependency Hierarchy:

  • setuptools-57.4.0-py3-none-any.whl (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Publish Date: 2022-12-23

URL: CVE-2022-40897

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Release Date: 2022-12-23

Fix Resolution: 65.5.1

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.