Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-06 13:25:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

security improvments

Browse Source
This commit is contained in:
usmannasir
2024-01-22 17:03:01 +05:00
parent d1151684dc
commit 01e7fa6f7a
7 changed files with 66 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
CyberCP/secMiddleware.py
View File

@@ -1,4 +1,6 @@
# coding=utf-8
import os.path
from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
from django.shortcuts import HttpResponse, render
import json
@@ -51,8 +53,19 @@ class secMiddleware:
except:
pass
from plogical.processUtilities import ProcessUtilities
if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile(request.build_absolute_uri())
FinalURL = request.build_absolute_uri().split('?')[0]
if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile(f'Final actual URL without QS {FinalURL}')
if request.method == 'POST':
try:
# logging.writeToFile(request.body)
data = json.loads(request.body)
for key, value in data.items():
@@ -68,7 +81,7 @@ class secMiddleware:
"(") > -1 or items.find(")") > -1 \
or items.find("'") > -1 or items.find("[") > -1 or items.find(
"]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1 or items.find("&") > -1:
logging.writeToFile(request.body)
final_dic = {
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >.",
@@ -87,14 +100,14 @@ class secMiddleware:
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
if request.build_absolute_uri().find(
'api/remoteTransfer') > -1 or request.build_absolute_uri().find(
'api/verifyConn') > -1 or request.build_absolute_uri().find(
'webhook') > -1 or request.build_absolute_uri().find(
'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find(
'docker') > -1 or request.build_absolute_uri().find(
'cloudAPI') > -1 or request.build_absolute_uri().find(
'verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
if FinalURL.find(
'api/remoteTransfer') > -1 or FinalURL.find(
'api/verifyConn') > -1 or FinalURL.find(
'webhook') > -1 or FinalURL.find(
'saveSpamAssassinConfigurations') > -1 or FinalURL.find(
'docker') > -1 or FinalURL.find(
'cloudAPI') > -1 or FinalURL.find(
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
continue
if key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
@@ -108,7 +121,7 @@ class secMiddleware:
")") > -1 \
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
"{") > -1 or value.find("}") > -1 \
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
logging.writeToFile(request.body)
final_dic = {
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >.",
@@ -119,7 +132,7 @@ class secMiddleware:
or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
"{") > -1 or key.find("}") > -1 \
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1 or key.find("&") > -1:
logging.writeToFile(request.body)
final_dic = {'error_message': "Data supplied is not accepted.",
"errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : < >."}

5
api/views.py
View File

@@ -535,11 +535,10 @@ def FetchRemoteTransferStatus(request):
dir = "/home/backup/transfer-"+str(data['dir'])+"/backup_log"
try:
command = f"cat {dir}"
status = ProcessUtilities.outputExecutioner(command)
if hashPassword.check_password(admin.password, password):
command = f"cat {dir}"
status = ProcessUtilities.outputExecutioner(command)
final_json = json.dumps({'fetchStatus': 1, 'error_message': "None", "status": status})
return HttpResponse(final_json)

6
cloudAPI/cloudManager.py
View File

@@ -344,6 +344,12 @@ class CloudManager:
def statusFunc(self):
try:
statusFile = self.data['statusFile']
if not statusFile.startswith('/home/cyberpanel'):
data_ret = {'status': 0, 'abort': 0, 'installationProgress': "0", }
json_data = json.dumps(data_ret)
return HttpResponse(json_data)
statusData = open(statusFile, 'r').readlines()
try:
lastLine = statusData[-1]

4
cloudAPI/views.py
View File

@@ -24,14 +24,12 @@ def router(request):
if admin.api == 0:
return cm.ajaxPre(0, 'API Access Disabled.')
if controller == 'statusFunc':
pass
else:
if cm.verifyLogin(request)[0] == 1:
pass
else:
return cm.verifyLogin(request)[1]
## Debug Log
import os

2
filemanager/views.py
View File

@@ -144,7 +144,7 @@ def upload(request):
else:
return ACLManager.loadErrorJson()
except:
pass
return ACLManager.loadErrorJson()
fm = FM(request, data)
return fm.upload()

2
plogical/acl.py
View File

@@ -147,7 +147,7 @@ class ACLManager:
or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
"{") > -1 or value.find("}") > -1 \
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
return 1
else:
return 0

41
plogical/hashPassword.py
View File

@@ -1,18 +1,35 @@
import uuid
import hashlib
# import uuid
# import hashlib
# import base64
#
# def hash_password(password):
# # uuid is used to generate a random number
# salt = uuid.uuid4().hex
# return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
#
#
# def check_password(hashed_password, user_password):
# password, salt = hashed_password.split(':')
# return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
#
# def generateToken(serverUserName, serverPassword):
# credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
# encoded_credentials = base64.b64encode(credentials).decode()
# return 'Basic {0}'.format(encoded_credentials)
import bcrypt
import base64
import secrets
def hash_password(password):
# uuid is used to generate a random number
salt = uuid.uuid4().hex
return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
salt = bcrypt.gensalt()
hashed_password = bcrypt.hashpw(password.encode(), salt)
return hashed_password.decode()
def check_password(hashed_password, user_password):
password, salt = hashed_password.split(':')
return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
return bcrypt.checkpw(user_password.encode(), hashed_password.encode())
def generateToken(serverUserName, serverPassword):
credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
encoded_credentials = base64.b64encode(credentials).decode()
return 'Basic {0}'.format(encoded_credentials)
def generate_token():
token = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
return token