Add GCP and Auth0 security skills#665
Conversation
Expand cloud and technology coverage for GCP IAM/storage and Auth0 tenant/API misconfiguration testing.
Greptile SummaryThis PR adds new security skill documentation for GCP and Auth0. The main changes are:
Confidence Score: 4/5The new skill files are mostly mergeable after fixing the misleading security-testing examples.
strix/skills/cloud/gcp.md and strix/skills/technologies/auth0.md
|
| Filename | Overview |
|---|---|
| strix/skills/cloud/gcp.md | Adds a GCP skill that should load correctly, but its unauthenticated GCS listing example can use ambient credentials. |
| strix/skills/technologies/auth0.md | Adds an Auth0 skill that should load correctly, with one endpoint example that needs its authentication requirement shown. |
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
strix/skills/cloud/gcp.md:42
**Ambient Credentials Skew Public Checks**
When this command runs on a machine with `gcloud` or application-default credentials, `gsutil` can list buckets with the tester's own access while the section claims to test unauthenticated exposure. That can turn a private bucket into a false public-bucket finding, or hide that the anonymous test was never performed.
```suggestion
# Anonymous listing check; avoid gsutil here because it can use ambient credentials
curl https://storage.googleapis.com/target-bucket/
```
### Issue 2 of 2
strix/skills/technologies/auth0.md:43
**Userinfo Requires A Token**
`/userinfo` is grouped with public discovery endpoints, but a correctly configured Auth0 tenant returns `401` unless the request includes a bearer access token. A tester following this literally can treat the expected auth failure as an OIDC discovery result instead of validating the authenticated userinfo path.
```suggestion
GET https://TENANT.auth0.com/userinfo
Authorization: Bearer <access_token>
```
Reviews (1): Last reviewed commit: "Add GCP and Auth0 security skills" | Re-trigger Greptile
| **Unauthenticated Enumeration** | ||
| ``` | ||
| # GCS bucket existence and listing (allUsers / allAuthenticatedUsers) | ||
| gsutil ls gs://target-bucket |
There was a problem hiding this comment.
Ambient Credentials Skew Public Checks
When this command runs on a machine with gcloud or application-default credentials, gsutil can list buckets with the tester's own access while the section claims to test unauthenticated exposure. That can turn a private bucket into a false public-bucket finding, or hide that the anonymous test was never performed.
| gsutil ls gs://target-bucket | |
| # Anonymous listing check; avoid gsutil here because it can use ambient credentials | |
| curl https://storage.googleapis.com/target-bucket/ |
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/cloud/gcp.md
Line: 42
Comment:
**Ambient Credentials Skew Public Checks**
When this command runs on a machine with `gcloud` or application-default credentials, `gsutil` can list buckets with the tester's own access while the section claims to test unauthenticated exposure. That can turn a private bucket into a false public-bucket finding, or hide that the anonymous test was never performed.
```suggestion
# Anonymous listing check; avoid gsutil here because it can use ambient credentials
curl https://storage.googleapis.com/target-bucket/
```
How can I resolve this? If you propose a fix, please make it concise.Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
| ``` | ||
| GET https://TENANT.auth0.com/.well-known/openid-configuration | ||
| GET https://TENANT.auth0.com/.well-known/jwks.json | ||
| GET https://TENANT.auth0.com/userinfo |
There was a problem hiding this comment.
/userinfo is grouped with public discovery endpoints, but a correctly configured Auth0 tenant returns 401 unless the request includes a bearer access token. A tester following this literally can treat the expected auth failure as an OIDC discovery result instead of validating the authenticated userinfo path.
| GET https://TENANT.auth0.com/userinfo | |
| GET https://TENANT.auth0.com/userinfo | |
| Authorization: Bearer <access_token> |
Prompt To Fix With AI
This is a comment left during a code review.
Path: strix/skills/technologies/auth0.md
Line: 43
Comment:
**Userinfo Requires A Token**
`/userinfo` is grouped with public discovery endpoints, but a correctly configured Auth0 tenant returns `401` unless the request includes a bearer access token. A tester following this literally can treat the expected auth failure as an OIDC discovery result instead of validating the authenticated userinfo path.
```suggestion
GET https://TENANT.auth0.com/userinfo
Authorization: Bearer <access_token>
```
How can I resolve this? If you propose a fix, please make it concise.- Use curl instead of gsutil for anonymous GCS checks - Document userinfo requires bearer access token
|
cc: @rajpratham1 |
Summary
Adds two skills from underrepresented categories in the skills README:
cloud/gcp— GCS public buckets, IAM escalation, metadata server abuse, GKE/Cloud Functions misconfigstechnologies/auth0— Auth0 tenant config, callback/origin flaws, Rules/Actions claim injection, MFA bypass, org boundariesWhy these skills
/cloud— onlyawsandkubernetesexisted/technologies— only Supabase and Firebase existedaws,oauth,django) without overlapping open skill PRsVerification
Test plan