From 28539b7ab82399d40268ccbf39fae5c1d29d27e6 Mon Sep 17 00:00:00 2001 From: Usman Nasir Date: Wed, 17 Aug 2022 10:38:02 +0500 Subject: [PATCH] address some security issues --- CyberCP/secMiddleware.py | 67 ++++++++++++------- plogical/applicationInstaller.py | 2 - .../websiteFunctions/WPEidtPlugin.html | 2 +- .../websiteFunctions/WPRestoreHome.html | 2 +- 4 files changed, 43 insertions(+), 30 deletions(-) diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index d6d0db649..f4afa57c8 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -58,7 +58,6 @@ class secMiddleware: for key, value in data.items(): if request.path.find('gitNotify') > -1: break - if type(value) == str or type(value) == bytes: pass else: @@ -72,31 +71,47 @@ class secMiddleware: final_json = json.dumps(final_dic) return HttpResponse(final_json) - if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1: - continue - if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ - or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \ - or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ - or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ - or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow': - continue - if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ - or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \ - or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\ - or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: - logging.writeToFile(request.body) - final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", - "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} - final_json = json.dumps(final_dic) - return HttpResponse(final_json) - if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \ - or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ - or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\ - or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1: - logging.writeToFile(request.body) - final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} - final_json = json.dumps(final_dic) - return HttpResponse(final_json) + if hasattr(value, "__len__"): + for items in value: + if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find( + '&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \ + or items.find("`") > -1 or items.find("$") > -1 or items.find( + "(") > -1 or items.find(")") > -1 \ + or items.find("'") > -1 or items.find("[") > -1 or items.find( + "]") > -1 or items.find("{") > -1 or items.find("}") > -1 \ + or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1: + logging.writeToFile(request.body) + final_dic = { + 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", + "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) + else: + if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1: + continue + if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ + or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \ + or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ + or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ + or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow': + continue + if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ + or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \ + or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\ + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + logging.writeToFile(request.body) + final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", + "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) + if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \ + or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ + or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\ + or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1: + logging.writeToFile(request.body) + final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) except BaseException as msg: logging.writeToFile(str(msg)) response = self.get_response(request) diff --git a/plogical/applicationInstaller.py b/plogical/applicationInstaller.py index bdd89f614..a992a4584 100755 --- a/plogical/applicationInstaller.py +++ b/plogical/applicationInstaller.py @@ -1841,8 +1841,6 @@ $parameters = array( stdoutput = ProcessUtilities.outputExecutioner(command) - - elif self.data['plugin'] == 'selected': pluginsList = '' diff --git a/websiteFunctions/templates/websiteFunctions/WPEidtPlugin.html b/websiteFunctions/templates/websiteFunctions/WPEidtPlugin.html index 08341d99d..2cb4ec310 100644 --- a/websiteFunctions/templates/websiteFunctions/WPEidtPlugin.html +++ b/websiteFunctions/templates/websiteFunctions/WPEidtPlugin.html @@ -10,7 +10,7 @@
-

{% trans "Eidt Plugin Bucket" %} +

{% trans "Edit Plugin Bucket" %}

diff --git a/websiteFunctions/templates/websiteFunctions/WPRestoreHome.html b/websiteFunctions/templates/websiteFunctions/WPRestoreHome.html index 5d5501bd2..60e121334 100644 --- a/websiteFunctions/templates/websiteFunctions/WPRestoreHome.html +++ b/websiteFunctions/templates/websiteFunctions/WPRestoreHome.html @@ -44,7 +44,7 @@
{% else %}
- +