Merge pull request #57 from PaperMtn/release/4.2.0

Release/4.2.0

Author: PaperMtn

CHANGELOG.md

@@ -1,3 +1,8 @@
+## [4.2.0] - 2024-09-27
+### Added
+- Added enumeration of conversations with populated Canvases attached. These can contain sensitive information, and are worth reviewing.
+- Added join domain to unauthenticated probe. This is the link to use to sign into a Workspace if you have an email with one of the approved domains.
+
 ## [4.1.2] - 2024-09-14
 ### Added
 - Added enumeration of authentication options for the Workspace you authed to.

README.md

@@ -49,8 +49,9 @@ You can run Slack Watchman to look for results going back as far as:
 It also enumerates the following:
 - User data
     - All users & all admins
-- Channel data
-    - All channels, including externally shared channels
+- Conversation data
+    - All conversations, including externally shared conversations
+    - All conversations that include a Slack Canvas (which often contain sensitive or important information)
 - Workspace authentication options
 
 
@@ -110,7 +111,7 @@ team:read
 users:read
 users:read.email
 ```
-**Note**: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private channels and chats.
+**Note**: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private conversations and chats.
 
 ### Cookie Authentication
 Alternatively, Slack Watchman can also authenticate to Slack using a user `d` cookie, which is stored in the browser of each user logged into a workspace.

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "slack-watchman"
-version = "4.1.2"
+version = "4.2.0"
 description = "Monitoring and enumerating Slack for exposed secrets"
 authors = ["PaperMtn <papermtn@protonmail.com>"]
 license = "GPL-3.0"

pyproject.toml

@@ -321,7 +321,15 @@ def main():
             OUTPUT_LOGGER.log(
                 'SUCCESS',
                 f'Users output to CSV file: {os.path.join(os.getcwd(), "slack_channels.csv")}')
-
+            OUTPUT_LOGGER.log('INFO', 'Finding public Canvases')
+            for channel in channel_list:
+                if not channel.canvas_empty and channel.canvas_id:
+                    canvas_information = {
+                        'channel_name': channel.name,
+                        'canvas_url': f'{workspace_information.url}canvas/{channel.id}'
+                    }
+                    OUTPUT_LOGGER.log('CANVAS', canvas_information, detect_type='Canvas',
+                                      notify_type='canvas')
         if everything or not pii and not secrets:
             OUTPUT_LOGGER.log('INFO', 'Searching for PII and Secrets')
             for signature in signature_list:

src/slack_watchman/__init__.py

@@ -1,6 +1,6 @@
 import time
 from dataclasses import dataclass
-from typing import List, Dict
+from typing import List, Dict, Optional
 
 
 def _convert_timestamp(timestamp: str or int) -> str or None:
@@ -44,6 +44,8 @@ class Conversation(object):
     previous_names: List[str]
     purpose: str
     topic: str
+    canvas_empty: Optional[bool]
+    canvas_id: Optional[str]
     num_members: int
     is_member: bool
     is_pending_ext_shared: bool
@@ -71,6 +73,8 @@ class ConversationSuccinct(object):
     is_im: bool
     is_mpim: bool
     is_archived: bool
+    canvas_empty: Optional[bool]
+    canvas_id: Optional[str]
     creator: str
     num_members: int
 
@@ -107,6 +111,8 @@ def create_from_dict(conv_dict: Dict, verbose: bool) -> Conversation or Conversa
             previous_names=conv_dict.get('previous_names'),
             is_member=conv_dict.get('is_member'),
             purpose=conv_dict.get('purpose', {}).get('value'),
+            canvas_empty=conv_dict.get('properties', {}).get('canvas', {}).get('is_empty'),
+            canvas_id=conv_dict.get('properties', {}).get('canvas', {}).get('file_id'),
             topic=conv_dict.get('topic', {}).get('value')
         )
     else:
@@ -119,5 +125,7 @@ def create_from_dict(conv_dict: Dict, verbose: bool) -> Conversation or Conversa
             is_im=conv_dict.get('is_im'),
             is_mpim=conv_dict.get('is_mpim'),
             is_archived=conv_dict.get('is_archived'),
+            canvas_empty=conv_dict.get('properties', {}).get('canvas', {}).get('is_empty'),
+            canvas_id=conv_dict.get('properties', {}).get('canvas', {}).get('file_id'),
             creator=conv_dict.get('creator'),
         )

src/slack_watchman/models/conversation.py

@@ -583,6 +583,7 @@ def find_auth_information(domain_url: str) -> Dict[str, List[str]] | None:
 
         output = {
             'formatted_email_domains': props_data.get('formattedEmailDomains', None),
+            'join_url': f'https://join.slack.com/t/{props_data.get("teamDomain")}/signup',
             'user_oauth': [
                 'google' if props_data.get('userOauth', {}).get('google', {}).get('enabled', False) else None,
                 'apple' if props_data.get('userOauth', {}).get('apple', {}).get('enabled', False) else None
@@ -594,7 +595,8 @@ def find_auth_information(domain_url: str) -> Dict[str, List[str]] | None:
             'sso_enabled': props_data.get('isSSOAuthMode', None),
             'two_factor_required': props_data.get('twoFactorRequired', None)
         }
-        if output.get('formatted_email_domains') == "":
-            output['formatted_email_domains'] = "N/A"
+        if output.get('formatted_email_domains') == '':
+            output['formatted_email_domains'] = 'N/A'
+            output['join_url'] = 'N/A'
 
         return output

src/slack_watchman/slack_wrapper.py

@@ -53,6 +53,7 @@ def log(self,
                       f'    TEAM_ID: {message.get("team_id")}  \n' \
                       f'    PAID_TEAM: {message.get("paid_team")}  \n' \
                       f'    APPROVED_DOMAINS: {message.get("formatted_email_domains")}  \n' \
+                      f'    JOIN_URL: {message.get("join_url")}  \n' \
                       f'    OAUTH_PROVIDERS: {message.get("user_oauth")} \n' \
                       f'    STANDARD_AUTH: {message.get("standard_auth_enabled")} \n' \
                       f'    SSO_ENABLED: {message.get("sso_enabled")} \n' \
@@ -68,6 +69,11 @@ def log(self,
                       f'    OWNER: {message.get("is_owner")} \n' \
                       f'    HAS_2FA: {message.get("has_2fa")}'
             mes_type = 'USER'
+        if notify_type == "canvas":
+            message = f'CANVAS: \n' \
+                      f'    CHANNEL: {message.get("channel_name")}  \n' \
+                      f'    CANVAS_URL: {message.get("canvas_url")}'
+            mes_type = 'USER'
         if notify_type == "result":
             if message.get('message'):
                 if message.get('message').get('conversation').get('is_im'):
@@ -257,6 +263,8 @@ def __init__(self, name: str = 'Slack Watchman', **kwargs):
             '{"timestamp": "%(asctime)s", "level": "WORKSPACE_AUTH", "message": %(message)s}')
         self.workspace_probe_format = logging.Formatter(
             '{"timestamp": "%(asctime)s", "level": "WORKSPACE_PROBE", "message": %(message)s}')
+        self.canvas_format = logging.Formatter(
+            '{"timestamp": "%(asctime)s", "level": "CANVAS", "message": %(message)s}')
         self.logger = logging.getLogger(self.name)
         self.handler = logging.StreamHandler(sys.stdout)
         self.logger.addHandler(self.handler)
@@ -293,6 +301,11 @@ def log(self,
             self.logger.info(json.dumps(
                 log_data,
                 cls=EnhancedJSONEncoder))
+        elif level.upper() == 'CANVAS':
+            self.handler.setFormatter(self.canvas_format)
+            self.logger.info(json.dumps(
+                log_data,
+                cls=EnhancedJSONEncoder))
         elif level.upper() == 'WORKSPACE':
             self.handler.setFormatter(self.workspace_format)
             self.logger.info(json.dumps(