mirror of
https://github.com/usmannasir/cyberpanel.git
synced 2025-11-08 06:16:08 +01:00
address some security issues
This commit is contained in:
Usman Nasir
@@ -58,7 +58,6 @@ class secMiddleware:
|
||||
for key, value in data.items():
|
||||
if request.path.find('gitNotify') > -1:
|
||||
break
|
||||
|
||||
if type(value) == str or type(value) == bytes:
|
||||
pass
|
||||
else:
|
||||
@@ -72,31 +71,47 @@ class secMiddleware:
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
|
||||
if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
|
||||
continue
|
||||
if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
|
||||
or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \
|
||||
or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
|
||||
or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
|
||||
or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
|
||||
continue
|
||||
if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
|
||||
or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
|
||||
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
|
||||
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
|
||||
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
|
||||
or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
|
||||
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
|
||||
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
if hasattr(value, "__len__"):
|
||||
for items in value:
|
||||
if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find(
|
||||
'&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \
|
||||
or items.find("`") > -1 or items.find("$") > -1 or items.find(
|
||||
"(") > -1 or items.find(")") > -1 \
|
||||
or items.find("'") > -1 or items.find("[") > -1 or items.find(
|
||||
"]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
|
||||
or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {
|
||||
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
|
||||
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
else:
|
||||
if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
|
||||
continue
|
||||
if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
|
||||
or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \
|
||||
or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
|
||||
or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
|
||||
or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow':
|
||||
continue
|
||||
if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \
|
||||
or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
|
||||
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\
|
||||
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
|
||||
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
|
||||
or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
|
||||
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\
|
||||
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
except BaseException as msg:
|
||||
logging.writeToFile(str(msg))
|
||||
response = self.get_response(request)
|
||||
|
||||
Reference in New Issue
Block a user