security improvments

2025-11-06 21:35:55 +01:00 · 2024-01-22 17:03:01 +05:00
parent d1151684dc
commit 01e7fa6f7a
7 changed files with 66 additions and 33 deletions
--- a/CyberCP/secMiddleware.py
+++ b/CyberCP/secMiddleware.py
@@ -1,4 +1,6 @@
 # coding=utf-8
 import os.path
 from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
 from django.shortcuts import HttpResponse, render
 import json
@@ -51,8 +53,19 @@ class secMiddleware:
        except:
            pass
        from plogical.processUtilities import ProcessUtilities
        if os.path.exists(ProcessUtilities.debugPath):
            logging.writeToFile(request.build_absolute_uri())
        FinalURL = request.build_absolute_uri().split('?')[0]
        if os.path.exists(ProcessUtilities.debugPath):
            logging.writeToFile(f'Final actual URL without QS {FinalURL}')
        if request.method == 'POST':
            try:
                # logging.writeToFile(request.body)
                data = json.loads(request.body)
                for key, value in data.items():
@@ -68,7 +81,7 @@ class secMiddleware:
                                "(") > -1 or items.find(")") > -1 \
                                    or items.find("'") > -1 or items.find("[") > -1 or items.find(
                                "]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
-                                    or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
+                                    or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1 or items.find("&") > -1:
                                logging.writeToFile(request.body)
                                final_dic = {
                                    'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
@@ -87,14 +100,14 @@ class secMiddleware:
                            final_json = json.dumps(final_dic)
                            return HttpResponse(final_json)
-                    if request.build_absolute_uri().find(
+                    if FinalURL.find(
-                            'api/remoteTransfer') > -1 or request.build_absolute_uri().find(
+                            'api/remoteTransfer') > -1 or FinalURL.find(
-                        'api/verifyConn') > -1 or request.build_absolute_uri().find(
+                        'api/verifyConn') > -1 or FinalURL.find(
-                        'webhook') > -1 or request.build_absolute_uri().find(
+                        'webhook') > -1 or FinalURL.find(
-                        'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find(
+                        'saveSpamAssassinConfigurations') > -1 or FinalURL.find(
-                        'docker') > -1 or request.build_absolute_uri().find(
+                        'docker') > -1 or FinalURL.find(
-                        'cloudAPI') > -1 or request.build_absolute_uri().find(
+                        'cloudAPI') > -1 or FinalURL.find(
-                        'verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
+                        'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
                        continue
                    if key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
                            or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
@@ -108,7 +121,7 @@ class secMiddleware:
                        ")") > -1 \
                            or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
                        "{") > -1 or value.find("}") > -1 \
-                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
                        logging.writeToFile(request.body)
                        final_dic = {
                            'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
@@ -119,7 +132,7 @@ class secMiddleware:
                            or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
                            or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
                        "{") > -1 or key.find("}") > -1 \
-                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
+                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1 or key.find("&") > -1:
                        logging.writeToFile(request.body)
                        final_dic = {'error_message': "Data supplied is not accepted.",
                                     "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
--- a/api/views.py
+++ b/api/views.py
@@ -535,11 +535,10 @@ def FetchRemoteTransferStatus(request):
            dir = "/home/backup/transfer-"+str(data['dir'])+"/backup_log"
            try:
                command = f"cat {dir}"
                status = ProcessUtilities.outputExecutioner(command)
                if hashPassword.check_password(admin.password, password):
                    command = f"cat {dir}"
                    status = ProcessUtilities.outputExecutioner(command)
                    final_json = json.dumps({'fetchStatus': 1, 'error_message': "None", "status": status})
                    return HttpResponse(final_json)
--- a/cloudAPI/cloudManager.py
+++ b/cloudAPI/cloudManager.py
@@ -344,6 +344,12 @@ class CloudManager:
    def statusFunc(self):
        try:
            statusFile = self.data['statusFile']
            if not statusFile.startswith('/home/cyberpanel'):
                data_ret = {'status': 0, 'abort': 0, 'installationProgress': "0", }
                json_data = json.dumps(data_ret)
                return HttpResponse(json_data)
            statusData = open(statusFile, 'r').readlines()
            try:
                lastLine = statusData[-1]
--- a/cloudAPI/views.py
+++ b/cloudAPI/views.py
@@ -24,14 +24,12 @@ def router(request):
        if admin.api == 0:
            return cm.ajaxPre(0, 'API Access Disabled.')
        if controller == 'statusFunc':
            pass
        else:
        if cm.verifyLogin(request)[0] == 1:
            pass
        else:
            return cm.verifyLogin(request)[1]
        ## Debug Log
        import os
--- a/filemanager/views.py
+++ b/filemanager/views.py
@@ -144,7 +144,7 @@ def upload(request):
            else:
                return ACLManager.loadErrorJson()
        except:
-            pass
+            return ACLManager.loadErrorJson()
        fm = FM(request, data)
        return fm.upload()
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -147,7 +147,7 @@ class ACLManager:
                    or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
                    or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
                "{") > -1 or value.find("}") > -1 \
-                    or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                    or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
                return 1
            else:
                return 0
--- a/plogical/hashPassword.py
+++ b/plogical/hashPassword.py
@@ -1,18 +1,35 @@
-import uuid
+# import uuid
-import hashlib
+# import hashlib
 # import base64
 #
 # def hash_password(password):
 #     # uuid is used to generate a random number
 #     salt = uuid.uuid4().hex
 #     return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
 #
 #
 # def check_password(hashed_password, user_password):
 #     password, salt = hashed_password.split(':')
 #     return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
 #
 # def generateToken(serverUserName, serverPassword):
 #     credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
 #     encoded_credentials = base64.b64encode(credentials).decode()
 #     return 'Basic {0}'.format(encoded_credentials)
 import bcrypt
 import base64
 import secrets
 def hash_password(password):
-    # uuid is used to generate a random number
+    salt = bcrypt.gensalt()
-    salt = uuid.uuid4().hex
+    hashed_password = bcrypt.hashpw(password.encode(), salt)
-    return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
+    return hashed_password.decode()
 def check_password(hashed_password, user_password):
-    password, salt = hashed_password.split(':')
+    return bcrypt.checkpw(user_password.encode(), hashed_password.encode())
    return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
-def generateToken(serverUserName, serverPassword):
+def generate_token():
-    credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
+    token = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
-    encoded_credentials = base64.b64encode(credentials).decode()
+    return token
    return 'Basic {0}'.format(encoded_credentials)