From e0a77b3e46133ead3e21ecde083f08d6e5cf4f73 Mon Sep 17 00:00:00 2001
From: "Mr. Secure" <ben.github@mrsecure.org>
Date: Fri, 11 Oct 2019 21:12:24 -0500
Subject: [PATCH] cleanup using shellcheck

---
 util/config         |  9 ++---
 util/megaprowler.sh | 84 +++++++++++++++++++++++++--------------------
 2 files changed, 51 insertions(+), 42 deletions(-)

diff --git a/util/config b/util/config
index 1b110bd9..12c35492 100644
--- a/util/config
+++ b/util/config
@@ -1,25 +1,26 @@
 #!/bin/bash
 ########### CODEBUILD CONFIGURATION ##################
-
+# shellcheck disable=SC2034
 ## Collect environment parameters set by buildspec
 CHECKGROUP=${PROWL_CHECK_GROUP}
 
 if [ "none" == "${PROWL_MASTER_ACCOUNTS}" ]; then
   ORG_MASTERS=""
 else
-  ORG_MASTERS=$(echo ${PROWL_MASTER_ACCOUNTS} | tr "," " ")
+  ORG_MASTERS=$(echo "${PROWL_MASTER_ACCOUNTS}" | tr "," " ")
 fi
 
 if [ "none" == "${PROWL_STANDALONE_ACCOUNTS}" ]; then
   STANDALONE_ACCOUNTS=""
 else
-  STANDALONE_ACCOUNTS=$(echo ${PROWL_STANDALONE_ACCOUNTS} | tr "," " ")
+  STANDALONE_ACCOUNTS=$(echo "${PROWL_STANDALONE_ACCOUNTS}" | tr "," " ")
 fi
 
 if [ "none" == "${PROWL_SKIP_ACCOUNTS}" ]; then
   SKIP_ACCOUNTS_REGEX='^$'
 else
-  skip_inside=$(echo ${PROWL_SKIP_ACCOUNTS} | tr "," "|")
+  skip_inside=$(echo "${PROWL_SKIP_ACCOUNTS}" | tr "," "|")
+  # shellcheck disable=SC2116
   SKIP_ACCOUNTS_REGEX=$(echo "(${skip_inside})" )
 fi
 
diff --git a/util/megaprowler.sh b/util/megaprowler.sh
index 4fe06371..7dbd4847 100644
--- a/util/megaprowler.sh
+++ b/util/megaprowler.sh
@@ -1,11 +1,14 @@
 #!/bin/bash
 
+BASEDIR=$(dirname "${0}")
 # source the configuration data from "config" in this directory
-if [[ -f $(dirname $0)/config ]]; then
-  . $(dirname $0)/config
+if [[ -f "${BASEDIR}/config" ]]; then
+  # shellcheck disable=SC1090
+  . "${BASEDIR}/config"
+
 else
-  echo "CONFIG file missing - $(dirname $0)/config"
-  exit -1
+  echo "CONFIG file missing - ${BASEDIR}/config"
+  exit 255
 fi
 
 ## Check Environment variables which are set by config
@@ -19,11 +22,11 @@ fi
 
 if [[ -z $CHECKGROUP ]]; then
   echo "Missing check group from config file"
-  exit -1
+  exit 255
 fi
 if [[ -z $AUDIT_ROLE ]]; then
   echo "Missing audit role from config file"
-  exit -1
+  exit 255
 fi
 
 ## ========================================================================================
@@ -43,14 +46,14 @@ fi
 
 
 ## Check Requirements
-if [[ -x $(which aws) ]]; then
+if [[ -x $(command -v aws) ]]; then
   aws --version
 else
   echo "AWS CLI is not in PATH ... giving up"
   exit 4
 fi
 
-if [[ -x $(which jq) ]]; then
+if [[ -x $(command -v jq) ]]; then
   jq --version
 else
   echo "JQ is not in PATH ... giving up"
@@ -62,10 +65,9 @@ if [[ -z $CREDSOURCE ]]; then
   echo "No source for base credentials ... giving up"
   exit 5
 fi
-# if [[ Ec2InstanceMetadata ]]
 
 if [[ -f ${PROWLER} && -x ${PROWLER} ]]; then
-  PROWLER_VERSION=$(${PROWLER} -V)
+  ${PROWLER} -V
 else
   echo "Unable to execute prowler from ${PROWLER}"
   exit 3
@@ -79,10 +81,10 @@ STAMP=$(date -u +%Y%m%dT%H%M%SZ)
 ## Create output subdirs
 OUTDATA="${OUTBASE}/data/${DAYPATH}"
 OUTLOGS="${OUTBASE}/logs/${DAYPATH}"
-mkdir -p ${OUTDATA} ${OUTLOGS}
+mkdir -p "${OUTDATA}" "${OUTLOGS}"
 
 
-if [[ -x $(which parallel) ]]; then
+if [[ -x $(command -v parallel) ]]; then
   # Note: the "standard" codebuild container includes parallel
   echo "Using GNU sem/parallel, with NCPU+4 jobs"
   parallel --citation > /dev/null 2> /dev/null
@@ -102,15 +104,15 @@ ALL_ACCOUNTS=""
 
 
 # Create a temporary credential file
-export AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
+AWS_MASTERS_CREDENTIALS_FILE=$(mktemp -t prowler.masters-XXXXXX)
 echo "Preparing Credentials ${AWS_MASTERS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
-echo "# Master Credentials ${STAMP}"   >> $AWS_MASTERS_CREDENTIALS_FILE
-echo ""                                >> $AWS_MASTERS_CREDENTIALS_FILE
+echo "# Master Credentials ${STAMP}"   >> "${AWS_MASTERS_CREDENTIALS_FILE}"
+echo ""                                >> "${AWS_MASTERS_CREDENTIALS_FILE}"
 
 AWS_TARGETS_CREDENTIALS_FILE=$(mktemp -t prowler.targets-XXXXXX)
 echo "Preparing Credentials ${AWS_TARGETS_CREDENTIALS_FILE} ( ${CREDSOURCE} )"
-echo "# Target Credentials ${STAMP}" >> $AWS_TARGETS_CREDENTIALS_FILE
-echo ""                              >> $AWS_TARGETS_CREDENTIALS_FILE
+echo "# Target Credentials ${STAMP}" >> "${AWS_TARGETS_CREDENTIALS_FILE}"
+echo ""                              >> "${AWS_TARGETS_CREDENTIALS_FILE}"
 
 
 ## Visit the Organization Master accounts & build a list of all member accounts
@@ -118,34 +120,38 @@ export AWS_SHARED_CREDENTIALS_FILE=$AWS_MASTERS_CREDENTIALS_FILE
 for org in $ORG_MASTERS ; do
   echo -n "Preparing organization $org "
   # create credential profile
-  echo "[audit_${org}]"                                   >> $AWS_MASTERS_CREDENTIALS_FILE
-  echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}" >> $AWS_MASTERS_CREDENTIALS_FILE
-  echo "credential_source = ${CREDSOURCE}"                >> $AWS_MASTERS_CREDENTIALS_FILE
-  echo ""                                                 >> $AWS_MASTERS_CREDENTIALS_FILE
+  {
+  echo "[audit_${org}]"
+  echo "role_arn = arn:aws:iam::${org}:role${AUDIT_ROLE}"
+  echo "credential_source = ${CREDSOURCE}"
+  echo ""
+  } >> "${AWS_MASTERS_CREDENTIALS_FILE}"
 
   # Get the Organization ID to use for output paths, collecting info, etc
-  org_id=$(aws --output json --profile audit_${org} organizations describe-organization | jq -r '.Organization.Id' )
+  org_id=$(aws --output json --profile "audit_${org}" organizations describe-organization | jq -r '.Organization.Id' )
 
   echo "( $org_id )"
   ORG_ID_LIST="${ORG_ID_LIST} ${org_id}"
 
 
   # Build the list of all accounts in the organizations
-  aws --output json --profile audit_${org} organizations list-accounts > ${OUTLOGS}/${STAMP}-${org_id}-account-list.json
-  ORG_ACCOUNTS=$( cat ${OUTLOGS}/${STAMP}-${org_id}-account-list.json | jq -r '.Accounts[].Id' | tr "\n" " ")
+  aws --output json --profile "audit_${org}" organizations list-accounts > "${OUTLOGS}/${STAMP}-${org_id}-account-list.json"
+  ORG_ACCOUNTS=$( cat "${OUTLOGS}/${STAMP}-${org_id}-account-list.json" | jq -r '.Accounts[].Id' | tr "\n" " ")
   ALL_ACCOUNTS="${ALL_ACCOUNTS} ${ORG_ACCOUNTS}"
 
   # Add the Org's Accounts (including master) to the TARGETS_CREDENTIALS file
   for target in $ORG_ACCOUNTS ; do
-    if $(echo $target | grep -qE $SKIP_ACCOUNTS_REGEX) ; then
+    if echo "$target" | grep -qE "${SKIP_ACCOUNTS_REGEX}"; then
       echo " skipping account      ${target} ( ${org_id} )"
       continue
     fi
     # echo "  ${org_id}_${target}"
-    echo "[${org_id}_${target}]"                               >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo "credential_source = ${CREDSOURCE}"                   >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo ""                                                    >> $AWS_TARGETS_CREDENTIALS_FILE
+    {
+    echo "[${org_id}_${target}]"
+    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
+    echo "credential_source = ${CREDSOURCE}"
+    echo ""
+    } >> "${AWS_TARGETS_CREDENTIALS_FILE}"
   done
 
 done
@@ -155,10 +161,12 @@ if [[ "" != "${STANDALONE_ACCOUNTS}" ]] ; then
   # mkdir -p ${OUTBASE}/data/standalone/${DAYPATH} ${OUTBASE}/logs/standalone/${DAYPATH}
   for target in $STANDALONE_ACCOUNTS ; do
     echo "Preparing account      ${target} ( standalone )"
-    echo "[standalone_${target}]"                              >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}" >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo "credential_source = ${CREDSOURCE}"                   >> $AWS_TARGETS_CREDENTIALS_FILE
-    echo ""                                                    >> $AWS_TARGETS_CREDENTIALS_FILE
+    {
+    echo "[standalone_${target}]"
+    echo "role_arn = arn:aws:iam::${target}:role${AUDIT_ROLE}"
+    echo "credential_source = ${CREDSOURCE}"
+    echo ""
+    } >> "${AWS_TARGETS_CREDENTIALS_FILE}"
   done
   ALL_ACCOUNTS="${ALL_ACCOUNTS} ${STANDALONE_ACCOUNTS}"
 fi
@@ -170,11 +178,11 @@ fi
 export AWS_SHARED_CREDENTIALS_FILE=${AWS_TARGETS_CREDENTIALS_FILE}
 
 ## visit each target account
-NUM_ACCOUNTS=$(grep -cE '^\[' ${AWS_TARGETS_CREDENTIALS_FILE})
+NUM_ACCOUNTS=$(grep -cE '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}")
 echo "Launching ${CHECKGROUP} audit of ${NUM_ACCOUNTS} accounts"
-for member in $(grep -E '^\[' ${AWS_TARGETS_CREDENTIALS_FILE} | tr -d '][') ; do
-  ORG_ID=$(echo $member | cut -d'_' -f1)
-  ACCOUNT_NUM=$(echo $member | cut -d'_' -f2)
+for member in $(grep -E '^\[' "${AWS_TARGETS_CREDENTIALS_FILE}" | tr -d '][') ; do
+  ORG_ID=$(echo "$member" | cut -d'_' -f1)
+  ACCOUNT_NUM=$(echo "$member" | cut -d'_' -f2)
 
   ${PARALLEL_START} "${PROWLER} -p ${member} -n -M csv -g ${CHECKGROUP} 2> ${OUTLOGS}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.log  > ${OUTDATA}/${STAMP}-${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP}.csv ; echo \"${ORG_ID}-${ACCOUNT_NUM}-prowler-${CHECKGROUP} finished\" " ${PARALLEL_START_SUFFIX}
 done
@@ -187,4 +195,4 @@ echo "Completed ${CHECKGROUP} audit with stamp ${STAMP}"
 # mkdir -p ${OUTBASE}/logs/debug/${DAYPATH}
 # cp $AWS_MASTERS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-master_creds.txt
 # cp $AWS_TARGETS_CREDENTIALS_FILE ${OUTLOGS}/${STAMP}-target_creds.txt
-rm $AWS_MASTERS_CREDENTIALS_FILE $AWS_TARGETS_CREDENTIALS_FILE
\ No newline at end of file
+rm "$AWS_MASTERS_CREDENTIALS_FILE" "$AWS_TARGETS_CREDENTIALS_FILE"
\ No newline at end of file