2019-12-15 15:08:01 +05:00
# coding=utf-8
2018-07-05 15:22:48 +05:00
from plogical . CyberCPLogFileWriter import CyberCPLogFileWriter as logging
2018-09-24 18:56:48 +05:00
import json
2018-09-28 14:23:02 +05:00
from django . shortcuts import HttpResponse
2019-10-14 17:40:58 +05:00
import re
2019-11-12 14:01:29 +05:00
from loginSystem . models import Administrator
2018-06-30 15:29:56 +05:00
class secMiddleware :
2019-11-12 14:01:29 +05:00
HIGH = 0
LOW = 1
2018-06-30 15:29:56 +05:00
def __init__ ( self , get_response ) :
self . get_response = get_response
def __call__ ( self , request ) :
2019-07-16 23:23:16 +05:00
try :
uID = request . session [ ' userID ' ]
2019-11-12 14:01:29 +05:00
admin = Administrator . objects . get ( pk = uID )
2019-07-24 22:37:37 +05:00
ipAddr = request . META . get ( ' REMOTE_ADDR ' )
if ipAddr . find ( ' . ' ) > - 1 :
2019-11-12 14:01:29 +05:00
if request . session [ ' ipAddr ' ] == ipAddr or admin . securityLevel == secMiddleware . LOW :
2019-07-24 22:37:37 +05:00
pass
else :
del request . session [ ' userID ' ]
del request . session [ ' ipAddr ' ]
logging . writeToFile ( request . META . get ( ' REMOTE_ADDR ' ) )
final_dic = { ' error_message ' : " Session reuse detected, IPAddress logged. " ,
" errorMessage " : " Session reuse detected, IPAddress logged. " }
final_json = json . dumps ( final_dic )
return HttpResponse ( final_json )
2019-07-16 23:23:16 +05:00
else :
2019-07-24 22:37:37 +05:00
ipAddr = request . META . get ( ' REMOTE_ADDR ' ) . split ( ' : ' ) [ : 3 ]
2019-11-12 14:01:29 +05:00
if request . session [ ' ipAddr ' ] == ipAddr or admin . securityLevel == secMiddleware . LOW :
2019-07-24 22:37:37 +05:00
pass
else :
del request . session [ ' userID ' ]
del request . session [ ' ipAddr ' ]
logging . writeToFile ( request . META . get ( ' REMOTE_ADDR ' ) )
final_dic = { ' error_message ' : " Session reuse detected, IPAddress logged. " ,
" errorMessage " : " Session reuse detected, IPAddress logged. " }
final_json = json . dumps ( final_dic )
return HttpResponse ( final_json )
2019-07-16 23:23:16 +05:00
except :
pass
2018-06-30 15:29:56 +05:00
if request . method == ' POST ' :
2018-09-28 14:23:02 +05:00
try :
2018-11-26 02:32:30 +05:00
#logging.writeToFile(request.body)
2018-09-28 14:23:02 +05:00
data = json . loads ( request . body )
2019-12-10 15:09:10 +05:00
for key , value in data . items ( ) :
2019-02-21 17:19:04 +05:00
if request . path . find ( ' gitNotify ' ) > - 1 :
break
2019-07-03 13:15:26 +05:00
# if request.path.find('users') > -1 or request.path.find('firewall') > -1 or request.path.find('servicesAction') > -1 or request.path.find('sslForHostName') > -1:
# logging.writeToFile(request.body)
# final_dic = {'error_message': "Data supplied is not accepted.",
# "errorMessage": "Data supplied is not accepted."}
# final_json = json.dumps(final_dic)
# return HttpResponse(final_json)
2019-12-15 11:34:09 +05:00
if type ( value ) == str or type ( value ) == bytes :
2018-10-03 18:46:44 +05:00
pass
else :
continue
2019-04-28 22:01:36 +05:00
2019-10-14 17:40:58 +05:00
if key == ' backupDestinations ' :
if re . match ( ' ^[a-z|0-9]+:[a-z|0-9| \ .]+ \ /?[A-Z|a-z|0-9| \ .]*$ ' , value ) == None and value != ' local ' :
logging . writeToFile ( request . body )
final_dic = { ' error_message ' : " Data supplied is not accepted. " ,
" errorMessage " : " Data supplied is not accepted. " }
final_json = json . dumps ( final_dic )
return HttpResponse ( final_json )
2019-08-18 16:18:27 +05:00
if request . build_absolute_uri ( ) . find ( ' saveSpamAssassinConfigurations ' ) > - 1 or request . build_absolute_uri ( ) . find ( ' docker ' ) > - 1 or request . build_absolute_uri ( ) . find ( ' cloudAPI ' ) > - 1 or request . build_absolute_uri ( ) . find ( ' filemanager ' ) > - 1 or request . build_absolute_uri ( ) . find ( ' verifyLogin ' ) > - 1 or request . build_absolute_uri ( ) . find ( ' submitUserCreation ' ) > - 1 :
2019-04-28 22:01:36 +05:00
continue
2019-12-11 10:40:35 +05:00
if key == ' recordContentAAAA ' or key == ' backupDestinations ' or key == ' ports ' or key == ' imageByPass ' or key == ' passwordByPass ' or key == ' cronCommand ' or key == ' emailMessage ' or key == ' configData ' or key == ' rewriteRules ' or key == ' modSecRules ' or key == ' recordContentTXT ' or key == ' SecAuditLogRelevantStatus ' or key == ' fileContent ' :
2018-09-28 14:23:02 +05:00
continue
2019-07-16 23:23:16 +05:00
if value . find ( ' ; ' ) > - 1 or value . find ( ' && ' ) > - 1 or value . find ( ' | ' ) > - 1 or value . find ( ' ... ' ) > - 1 \
or value . find ( " ` " ) > - 1 or value . find ( " $ " ) > - 1 or value . find ( " ( " ) > - 1 or value . find ( " ) " ) > - 1 \
or value . find ( " ' " ) > - 1 or value . find ( " [ " ) > - 1 or value . find ( " ] " ) > - 1 or value . find ( " { " ) > - 1 or value . find ( " } " ) > - 1 \
or value . find ( " : " ) > - 1 or value . find ( " < " ) > - 1 or value . find ( " > " ) > - 1 :
2018-09-28 14:23:02 +05:00
logging . writeToFile ( request . body )
2019-12-15 15:08:01 +05:00
final_dic = { ' error_message ' : " Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ " ,
" errorMessage " : " Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ " }
2018-10-03 18:46:44 +05:00
final_json = json . dumps ( final_dic )
return HttpResponse ( final_json )
2019-07-16 23:23:16 +05:00
if key . find ( ' ; ' ) > - 1 or key . find ( ' && ' ) > - 1 or key . find ( ' | ' ) > - 1 or key . find ( ' ... ' ) > - 1 \
or key . find ( " ` " ) > - 1 or key . find ( " $ " ) > - 1 or key . find ( " ( " ) > - 1 or key . find ( " ) " ) > - 1 \
or key . find ( " ' " ) > - 1 or key . find ( " [ " ) > - 1 or key . find ( " ] " ) > - 1 or key . find ( " { " ) > - 1 or key . find ( " } " ) > - 1 \
or key . find ( " : " ) > - 1 or key . find ( " < " ) > - 1 or key . find ( " > " ) > - 1 :
2018-09-28 14:23:02 +05:00
logging . writeToFile ( request . body )
2019-12-15 15:08:01 +05:00
final_dic = { ' error_message ' : " Data supplied is not accepted. " , " errorMessage " : " Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ " }
2018-10-03 18:46:44 +05:00
final_json = json . dumps ( final_dic )
return HttpResponse ( final_json )
2019-12-10 15:09:10 +05:00
except BaseException as msg :
2018-09-28 14:23:02 +05:00
logging . writeToFile ( str ( msg ) )
response = self . get_response ( request )
return response
2019-11-05 14:07:37 +05:00
2018-06-30 15:29:56 +05:00
response = self . get_response ( request )
2019-11-06 14:02:30 +05:00
2019-11-05 14:07:37 +05:00
response [ ' X-XSS-Protection ' ] = " 1; mode=block "
2019-11-07 09:37:06 +05:00
#response['Strict-Transport-Security'] = "max-age=31536000; includeSubDomains; preload"
2019-11-06 14:02:30 +05:00
response [ ' X-Frame-Options ' ] = " sameorigin "
2019-11-07 09:37:06 +05:00
response [ ' Content-Security-Policy ' ] = " script-src ' self ' https://www.jsdelivr.com "
response [ ' Content-Security-Policy ' ] = " connect-src *; "
response [ ' Content-Security-Policy ' ] = " font-src ' self ' ' unsafe-inline ' https://www.jsdelivr.com https://fonts.googleapis.com "
response [ ' Content-Security-Policy ' ] = " style-src ' self ' ' unsafe-inline ' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net "
response [ ' X-Content-Type-Options ' ] = " nosniff "
response [ ' Referrer-Policy ' ] = " same-origin "
2019-11-05 14:07:37 +05:00
2019-11-07 09:37:06 +05:00
return response
