I found several strange requests in my Google App Engine log:
2620:0:1000:3001:1c2f:1188:9a2a:f8d8 - - [26/Oct/2015:16:29:55 -0700] "HEAD /an/object/path HTTP/1.1" 404 - - "curl/7.35.0" "xxx.appspot.com" ms=2 cpu_ms=0 cpm_usd=0 instance=- app_engine_release=1.9.27 trace_id=-
where /an/object/path is the path of an object in the Google Cloud Storage default bucket, which should be unknown to the user.
I have tried listing the bucket content using another account with:
gsutil ls gs://xxx.appspot.com
which gives "AccessDeniedException: 403 Forbidden", and
which shows nothing.
gsutil acl get gs://xxx.appspot.com/...
outputs:
[
{
"entity": "project-owners-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "owners"
},
"role": "OWNER"
},
{
"entity": "project-editors-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "editors"
},
"role": "OWNER"
},
{
"entity": "project-viewers-1096471376163",
"projectTeam": {
"projectNumber": "1096471376163",
"team": "viewers"
},
"role": "READER"
},
{
"entity": "user-00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
"entityId": "00b4903a978e00507e97b8a0898de74c6896e15ea3bf3e4c4fcdcbc4eb209c8f",
"role": "OWNER"
}
]
So I suspect that either
- my account is hacked, and/or
- permission of the bucket/objects is set wrongly, and/or
- there are some buggy APIs which may be possible to list/query the bucket content.
Suppose that my account is hacked, the hacker can get the bucket objects directly, he/she does not really need to send requests to the GAE, so the chances of 2 and 3 are also high.
So I want to ask what tool/command can I use to check whether my bucket is really safe against public access.
For case 3, maybe, many other accounts are affected too.