#!/bin/bash############################# Run this tool to find Cloud Functions that permit unauthenticated invocations# anywhere in your GCP organization.# Enjoy!############################for proj in $(gcloudprojectslist--format="get(projectId)"); doecho"[*] scraping project $proj"enabled=$(gcloudserviceslist--project"$proj"|grep"Cloud Functions API")if [ -z"$enabled" ]; thencontinuefifor func_region in $(gcloudfunctionslist--quiet--project"$proj"--format="value[separator=','](NAME,REGION)"); do# drop substring from first occurence of "," to end of string.func="${func_region%%,*}"# drop substring from start of string up to last occurence of ","region="${func_region##*,}"ACL="$(gcloudfunctionsget-iam-policy "$func" --project "$proj" --region "$region")"all_users="$(echo "$ACL" |grepallUsers)"all_auth="$(echo "$ACL" |grepallAuthenticatedUsers)"if [ -z"$all_users" ]then:elseecho"[!] Open to all users: $proj: $func"fiif [ -z"$all_auth" ]then:elseecho"[!] Open to all authenticated users: $proj: $func"fidonedone
