File Read Vulnerability allows Attackers to Compromise S3 buckets using Prow

## Summary: I found a vulnerability where AWS Prow allows users to sign the base path of S3 buckets that Prow is using. When this happens an attacker views every file in the S3 bucket and then can sign that endpoint to view the file. This vulnerability type allows attackers to dump the contents of the entire S3 production bucket for each company which may have more than just Prow server logs. ## Component Version: Latest ## Steps To Reproduce: 1 - I'm just going to use this public instance of Prow I found as example. I found this vulnerability while conducting a penetration test for a private program so I cannot disclose those details. ``` https://prow.falco.org ``` 2 - So on this site the vulnerable endpoint is here. ``` https://prow.falco.org/job-history/s3/falco-prow-logs/%2e%3f ``` {F1624608} ## Supporting Material/References: 3 - Prow only expects to load log text files and appends a `/latest.txt` to the end of S3 URLs to be signed. By specifying `/.` we are getting the base URL of the bucket which lists every file and by using an encoded question mark we comment out the `/latest.txt` section. So, the URL to sign looks like this `s3://falco-prow-logs/.?/latest.txt` which signs the base path and dumps the entire private bucket details. Additionally, this technique can be used to read any file in the bucket. ``` https://prow.falco.org/job-history/s3/falco-prow-logs/any.valid.file%3f ``` ## Impact Dump production data in companies S3 buckets that use Prow. Additionally, find old log files that are no longer specified in the instance GUI.