Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-05 12:55:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dcf3b9bc09d4516082deae547a337c7dac9f70a1
CyberPanel/CyberCP/secMiddleware.py

172 lines
9.7 KiB
Python
Raw Normal View History

add info for https://github.com/usmannasir/cyberpanel/issues/179
2019-12-15 15:08:01 +05:00
# coding=utf-8
security improvments
2024-01-22 17:03:01 +05:00
import os.path
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
from django.shortcuts import HttpResponse, render
Bug fixes
2018-09-24 18:56:48 +05:00
import json
incremental backups: completion and s3:aws integration
2019-10-14 17:40:58 +05:00
import re
Feature: allow user to disable session ip check
2019-11-12 14:01:29 +05:00
from loginSystem.models import Administrator
Bug fix to email policy server.
2018-06-30 15:29:56 +05:00
bug fix: fix opendkim on config rest
2024-01-06 15:11:55 +05:00
Bug fix to email policy server.
2018-06-30 15:29:56 +05:00
class secMiddleware:
Feature: allow user to disable session ip check
2019-11-12 14:01:29 +05:00
HIGH = 0
LOW = 1
Add Cloudflare support
2021-06-08 23:21:41 +00:00
def get_client_ip(request):
ip = request.META.get('HTTP_CF_CONNECTING_IP')
if ip is None:
ip = request.META.get('REMOTE_ADDR')
return ip
Bug fix to email policy server.
2018-06-30 15:29:56 +05:00
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
CloudLinux, CageFS and security improvements
2019-07-16 23:23:16 +05:00
try:
uID = request.session['userID']
Feature: allow user to disable session ip check
2019-11-12 14:01:29 +05:00
admin = Administrator.objects.get(pk=uID)
release v2.3.8
2024-10-31 07:48:51 +04:00
ipAddr = secMiddleware.get_client_ip(request)
bug fix for ubuntu and docker manager
2019-07-24 22:37:37 +05:00
if ipAddr.find('.') > -1:
Feature: allow user to disable session ip check
2019-11-12 14:01:29 +05:00
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
bug fix for ubuntu and docker manager
2019-07-24 22:37:37 +05:00
pass
else:
del request.session['userID']
del request.session['ipAddr']
release v2.3.8
2024-10-31 07:48:51 +04:00
logging.writeToFile(secMiddleware.get_client_ip(request))
bug fix for ubuntu and docker manager
2019-07-24 22:37:37 +05:00
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
CloudLinux, CageFS and security improvements
2019-07-16 23:23:16 +05:00
else:
release v2.3.8
2024-10-31 07:48:51 +04:00
ipAddr = secMiddleware.get_client_ip(request).split(':')[:3]
Feature: allow user to disable session ip check
2019-11-12 14:01:29 +05:00
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
bug fix for ubuntu and docker manager
2019-07-24 22:37:37 +05:00
pass
else:
del request.session['userID']
del request.session['ipAddr']
release v2.3.8
2024-10-31 07:48:51 +04:00
logging.writeToFile(secMiddleware.get_client_ip(request))
bug fix for ubuntu and docker manager
2019-07-24 22:37:37 +05:00
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
"errorMessage": "Session reuse detected, IPAddress logged."}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
CloudLinux, CageFS and security improvements
2019-07-16 23:23:16 +05:00
except:
pass
command injection check in some fm functions
2020-02-07 21:26:55 +05:00
security improvments
2024-01-22 17:03:01 +05:00
from plogical.processUtilities import ProcessUtilities
add improvments for ssl
2024-01-24 11:05:51 +05:00
# if os.path.exists(ProcessUtilities.debugPath):
# logging.writeToFile(request.build_absolute_uri())
security improvments
2024-01-22 17:03:01 +05:00
FinalURL = request.build_absolute_uri().split('?')[0]
add improvments for ssl
2024-01-24 11:05:51 +05:00
# if os.path.exists(ProcessUtilities.debugPath):
# logging.writeToFile(f'Final actual URL without QS {FinalURL}')
security improvments
2024-01-22 17:03:01 +05:00
release v2.3.8
2024-10-31 07:39:43 +04:00
if request.method == 'POST' or request.method == 'OPTIONS':
Bug fixes and support for Vietnamese language
2018-09-28 14:23:02 +05:00
try:
security improvments
2024-01-22 17:03:01 +05:00
bug fix: fix opendkim on config rest
2024-01-06 15:11:55 +05:00
# logging.writeToFile(request.body)
Bug fixes and support for Vietnamese language
2018-09-28 14:23:02 +05:00
data = json.loads(request.body)
p3
2019-12-10 15:09:10 +05:00
for key, value in data.items():
bug fix for git private repos
2019-02-21 17:19:04 +05:00
if request.path.find('gitNotify') > -1:
break
some conversion fixes
2019-12-15 11:34:09 +05:00
if type(value) == str or type(value) == bytes:
Plugin Manager
2018-10-03 18:46:44 +05:00
pass
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
elif type(value) == list:
address some security issues
2022-08-17 10:38:02 +05:00
for items in value:
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find(
'&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \
or items.find("`") > -1 or items.find("$") > -1 or items.find(
"(") > -1 or items.find(")") > -1 \
or items.find("'") > -1 or items.find("[") > -1 or items.find(
"]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
move data to controller
2024-03-15 12:40:21 +05:00
or items.find(":") > -1 or items.find("<") > -1 or items.find(
">") > -1 or items.find("&") > -1:
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
logging.writeToFile(request.body)
address some security issues
2022-08-17 10:38:02 +05:00
final_dic = {
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >.",
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >."}
address some security issues
2022-08-17 10:38:02 +05:00
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
else:
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
continue
if key == 'backupDestinations':
bug fix: fix opendkim on config rest
2024-01-06 15:11:55 +05:00
if re.match('^[a-z|0-9]+:[a-z|0-9|\.]+\/?[A-Z|a-z|0-9|\.]*$',
value) == None and value != 'local':
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
logging.writeToFile(request.body)
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
final_dic = {'error_message': "Data supplied is not accepted.",
"errorMessage": "Data supplied is not accepted."}
address some security issues
2022-08-17 10:38:02 +05:00
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
security improvments
2024-01-22 17:03:01 +05:00
if FinalURL.find(
'api/remoteTransfer') > -1 or FinalURL.find(
'api/verifyConn') > -1 or FinalURL.find(
'webhook') > -1 or FinalURL.find(
'saveSpamAssassinConfigurations') > -1 or FinalURL.find(
'docker') > -1 or FinalURL.find(
'cloudAPI') > -1 or FinalURL.find(
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
continue
move data to controller
2024-03-15 12:40:21 +05:00
if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
possible solution off https://www.facebook.com/groups/cyberpanel/posts/3488018628176427/
2024-01-22 09:49:24 +05:00
or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
continue
if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find(
'&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(
")") > -1 \
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
"{") > -1 or value.find("}") > -1 \
move data to controller
2024-03-15 12:40:21 +05:00
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find(
"&") > -1:
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
logging.writeToFile(request.body)
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
final_dic = {
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >.",
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >."}
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
"{") > -1 or key.find("}") > -1 \
security improvments
2024-01-22 17:03:01 +05:00
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1 or key.find("&") > -1:
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
logging.writeToFile(request.body)
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
final_dic = {'error_message': "Data supplied is not accepted.",
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
"errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >."}
prevent bypass of lsit check
2022-08-24 13:05:27 +05:00
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
p3
2019-12-10 15:09:10 +05:00
except BaseException as msg:
Bug fixes and support for Vietnamese language
2018-09-28 14:23:02 +05:00
logging.writeToFile(str(msg))
response = self.get_response(request)
return response
Update secMiddleware.py
2024-01-04 22:43:56 +01:00
# else:
# try:
# if request.path.find('cloudAPI/') > -1 or request.path.find('api/') > -1:
# pass
# else:
# uID = request.session['userID']
# except:
# return render(request, 'loginSystem/login.html', {})
pci compliance headers
2019-11-05 14:07:37 +05:00
Bug fix to email policy server.
2018-06-30 15:29:56 +05:00
response = self.get_response(request)
fix csf menu while upgrade
2019-11-06 14:02:30 +05:00
pci compliance headers
2019-11-05 14:07:37 +05:00
response['X-XSS-Protection'] = "1; mode=block"
fix csf menu while upgrade
2019-11-06 14:02:30 +05:00
response['X-Frame-Options'] = "sameorigin"
magento installer
2019-11-07 09:37:06 +05:00
response['Content-Security-Policy'] = "script-src 'self' https://www.jsdelivr.com"
response['Content-Security-Policy'] = "connect-src *;"
bug fix: fix opendkim on config rest
2024-01-06 15:11:55 +05:00
response[
'Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com"
response[
'Content-Security-Policy'] = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net"
# response['Content-Security-Policy'] = "default-src 'self' cyberpanel.cloud *.cyberpanel.cloud"
magento installer
2019-11-07 09:37:06 +05:00
response['X-Content-Type-Options'] = "nosniff"
response['Referrer-Policy'] = "same-origin"
pci compliance headers
2019-11-05 14:07:37 +05:00
Add Cloudflare support
2021-06-08 23:21:41 +00:00
return response
Reference in New Issue Copy Permalink