Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-09 23:06:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

bug fix: https://github.com/usmannasir/cyberpanel/issues/1441

Browse Source
This commit is contained in:
usmannasir
2025-06-26 15:16:26 +05:00
parent 0735860d76
commit 286a2ffb46
3 changed files with 379 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
CyberCP/secMiddleware.py
View File

@@ -151,14 +151,26 @@ class secMiddleware:
final_json = json.dumps(final_dic) final_json = json.dumps(final_dic)
return HttpResponse(final_json) return HttpResponse(final_json)
if FinalURL.find( # Allow JSON structure characters for API endpoints but keep security checks for dangerous characters
'api/remoteTransfer') > -1 or FinalURL.find( isAPIEndpoint = (FinalURL.find('api/remoteTransfer') > -1 or FinalURL.find('api/verifyConn') > -1 or
'api/verifyConn') > -1 or FinalURL.find( FinalURL.find('webhook') > -1 or FinalURL.find('saveSpamAssassinConfigurations') > -1 or
'webhook') > -1 or FinalURL.find( FinalURL.find('docker') > -1 or FinalURL.find('cloudAPI') > -1 or
'saveSpamAssassinConfigurations') > -1 or FinalURL.find( FinalURL.find('verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1 or
'docker') > -1 or FinalURL.find( FinalURL.find('/api/') > -1)
'cloudAPI') > -1 or FinalURL.find(
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1: if isAPIEndpoint:
# For API endpoints, still check for the most dangerous command injection characters
if (value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or
value.find('&&') > -1 or value.find('||') > -1 or value.find('|') > -1 or
value.find('...') > -1 or value.find("`") > -1 or value.find("$") > -1 or
value.find('../') > -1 or value.find('../../') > -1):
logging.writeToFile(request.body)
final_dic = {
'error_message': "API request contains potentially dangerous characters: `;`, `&&`, `||`, `|`, `` ` ``, `$`, `../` are not allowed.",
"errorMessage": "API request contains potentially dangerous characters."
}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
continue continue
if key == 'MainDashboardCSS' or key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \ if key == 'MainDashboardCSS' or key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \
or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\ or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\

126
api/views.py
View File

@@ -23,54 +23,138 @@ from userManagment.views import submitUserCreation as suc
from userManagment.views import submitUserDeletion as duc from userManagment.views import submitUserDeletion as duc
# Create your views here. # Create your views here.
def validate_api_input(input_value, field_name="field"):
"""
Validate API input for security threats while allowing legitimate data
Returns tuple: (is_valid, error_message)
"""
if not isinstance(input_value, str):
return True, None
# Check for command injection patterns
dangerous_patterns = [
';', '&&', '||', '|', '`', '$',
'../', '../../', '\n', '\r',
'<script', '</script>', 'javascript:',
'eval(', 'exec(', 'system(', 'shell_exec('
]
for pattern in dangerous_patterns:
if pattern in input_value:
return False, f"{field_name} contains invalid characters or patterns."
return True, None
@csrf_exempt @csrf_exempt
def verifyConn(request): def verifyConn(request):
try: try:
if request.method == 'POST': if request.method == 'POST':
try:
data = json.loads(request.body)
adminUser = data['adminUser']
adminPass = data['adminPass']
data = json.loads(request.body) # Additional security: validate input for dangerous characters
adminUser = data['adminUser'] is_valid, error_msg = validate_api_input(adminUser, "adminUser")
adminPass = data['adminPass'] if not is_valid:
data_ret = {"verifyConn": 0, 'error_message': error_msg}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=400)
admin = Administrator.objects.get(userName=adminUser) except (json.JSONDecodeError, KeyError) as e:
data_ret = {"verifyConn": 0, 'error_message': "Invalid JSON or missing adminUser/adminPass fields."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=400)
try:
admin = Administrator.objects.get(userName=adminUser)
except Administrator.DoesNotExist:
data_ret = {"verifyConn": 0, 'error_message': "Administrator not found."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=404)
if admin.api == 0: if admin.api == 0:
data_ret = {"verifyConn": 0, 'error_message': "API Access Disabled."} data_ret = {"verifyConn": 0, 'error_message': "API Access Disabled."}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data, status=403)
if hashPassword.check_password(admin.password, adminPass): if hashPassword.check_password(admin.password, adminPass):
data_ret = {"verifyConn": 1} data_ret = {"verifyConn": 1}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data)
else: else:
data_ret = {"verifyConn": 0} data_ret = {"verifyConn": 0, 'error_message': "Invalid password."}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data, status=401)
except BaseException as msg: else:
data_ret = {'verifyConn': 0, 'error_message': str(msg)} data_ret = {"verifyConn": 0, 'error_message': "Only POST method allowed."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=405)
except Exception as msg:
data_ret = {'verifyConn': 0, 'error_message': f"Internal server error: {str(msg)}"}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data, status=500)
@csrf_exempt @csrf_exempt
def createWebsite(request): def createWebsite(request):
data = json.loads(request.body) try:
adminUser = data['adminUser'] if request.method != 'POST':
admin = Administrator.objects.get(userName=adminUser) data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
'error_message': "Only POST method allowed."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=405)
if os.path.exists(ProcessUtilities.debugPath): try:
logging.writeToFile(f'Create website payload in API {str(data)}') data = json.loads(request.body)
adminUser = data['adminUser']
if admin.api == 0: # Additional security: validate critical fields for dangerous characters
is_valid, error_msg = validate_api_input(adminUser, "adminUser")
if not is_valid:
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0, 'error_message': error_msg}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=400)
# Validate domain name if provided
if 'domainName' in data:
is_valid, error_msg = validate_api_input(data['domainName'], "domainName")
if not is_valid:
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0, 'error_message': error_msg}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=400)
except (json.JSONDecodeError, KeyError):
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
'error_message': "Invalid JSON or missing adminUser field."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=400)
try:
admin = Administrator.objects.get(userName=adminUser)
except Administrator.DoesNotExist:
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
'error_message': "Administrator not found."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=404)
if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile(f'Create website payload in API {str(data)}')
if admin.api == 0:
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
'error_message': "API Access Disabled."}
json_data = json.dumps(data_ret)
return HttpResponse(json_data, status=403)
wm = WebsiteManager()
return wm.createWebsiteAPI(data)
except Exception as msg:
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0, data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
'error_message': "API Access Disabled."} 'error_message': f"Internal server error: {str(msg)}"}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data, status=500)
wm = WebsiteManager()
return wm.createWebsiteAPI(json.loads(request.body))
@csrf_exempt @csrf_exempt

254
baseTemplate/templates/baseTemplate/index.html
View File

@@ -556,6 +556,205 @@
} }
} }
/* AI Scanner Security Banner */
.ai-scanner-banner {
position: fixed;
top: 80px;
left: 260px;
right: 0;
background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 50%, #a855f7 100%);
border-bottom: 2px solid #4f46e5;
padding: 16px 30px;
z-index: 998;
box-shadow: 0 4px 20px rgba(99, 102, 241, 0.25);
animation: slideDown 0.4s ease-out;
display: none;
}
.ai-scanner-banner.show {
display: block;
}
.ai-scanner-content {
display: flex;
align-items: center;
gap: 1.5rem;
max-width: 1400px;
margin: 0 auto;
}
.ai-scanner-icon {
background: rgba(255, 255, 255, 0.2);
border-radius: 12px;
padding: 12px;
backdrop-filter: blur(10px);
border: 1px solid rgba(255, 255, 255, 0.3);
}
.ai-scanner-icon i {
color: white;
font-size: 1.5rem;
display: block;
}
.ai-scanner-text {
flex: 1;
display: flex;
flex-direction: column;
gap: 4px;
}
.ai-scanner-main-text {
color: white;
font-size: 1rem;
font-weight: 600;
line-height: 1.4;
}
.ai-scanner-sub-text {
color: rgba(255, 255, 255, 0.8);
font-size: 0.875rem;
font-weight: 400;
}
.ai-scanner-actions {
display: flex;
gap: 12px;
}
.ai-scanner-btn {
background: white;
color: #4f46e5;
padding: 12px 24px;
border-radius: 8px;
text-decoration: none;
font-weight: 600;
font-size: 0.875rem;
display: flex;
align-items: center;
gap: 8px;
transition: all 0.3s ease;
box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1);
position: relative;
overflow: hidden;
}
.ai-scanner-btn:hover {
background: #f8fafc;
color: #4338ca;
transform: translateY(-1px);
box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
text-decoration: none;
}
.ai-scanner-btn::before {
content: '';
position: absolute;
top: 0;
left: 0;
right: 0;
bottom: 0;
background: linear-gradient(45deg, rgba(255,255,255,0.1), rgba(255,255,255,0.3), rgba(255,255,255,0.1));
transform: translateX(-100%);
transition: transform 0.6s ease;
border-radius: 8px;
}
.ai-scanner-btn:hover::before {
transform: translateX(100%);
}
.ai-scanner-btn i {
font-size: 0.875rem;
}
.ai-scanner-close {
background: rgba(255, 255, 255, 0.1);
border: 1px solid rgba(255, 255, 255, 0.2);
color: white;
font-size: 1rem;
cursor: pointer;
padding: 8px;
border-radius: 6px;
transition: all 0.2s ease;
backdrop-filter: blur(10px);
}
.ai-scanner-close:hover {
background: rgba(255, 255, 255, 0.2);
transform: scale(1.05);
}
/* Adjust main content when AI scanner banner is shown */
.ai-scanner-shown #main-content {
padding-top: 180px;
}
/* Both banners shown */
.notification-shown.ai-scanner-shown #main-content {
padding-top: 220px;
}
.notification-shown .ai-scanner-banner {
top: 130px;
}
/* Mobile responsive styles for AI Scanner banner */
@media (max-width: 768px) {
.ai-scanner-banner {
left: 0;
padding: 12px 20px;
}
.ai-scanner-content {
gap: 1rem;
flex-wrap: wrap;
}
.ai-scanner-text {
min-width: 200px;
}
.ai-scanner-main-text {
font-size: 0.9rem;
}
.ai-scanner-sub-text {
font-size: 0.8rem;
}
.ai-scanner-btn {
padding: 10px 20px;
font-size: 0.8rem;
}
.ai-scanner-icon {
padding: 10px;
}
.ai-scanner-icon i {
font-size: 1.25rem;
}
}
@media (max-width: 480px) {
.ai-scanner-content {
flex-direction: column;
align-items: stretch;
gap: 12px;
}
.ai-scanner-actions {
justify-content: center;
}
.ai-scanner-close {
position: absolute;
top: 8px;
right: 8px;
}
}
/* Scrollbar */ /* Scrollbar */
::-webkit-scrollbar { ::-webkit-scrollbar {
width: 8px; width: 8px;
@@ -1429,6 +1628,28 @@
</div> </div>
</div> </div>
<!-- AI Scanner Security Notice -->
<div id="ai-scanner-notification" class="ai-scanner-banner">
<div class="ai-scanner-content">
<div class="ai-scanner-icon">
<i class="fas fa-brain"></i>
</div>
<div class="ai-scanner-text">
<span class="ai-scanner-main-text">🛡️ Secure your websites with AI-powered malware detection</span>
<span class="ai-scanner-sub-text">Advanced threat detection • Real-time scanning • Zero false positives</span>
</div>
<div class="ai-scanner-actions">
<a href="/aiscanner/" class="ai-scanner-btn">
<i class="fas fa-rocket"></i>
Start AI Security Scan
</a>
</div>
<button class="ai-scanner-close" onclick="dismissAIScannerNotification()">
<i class="fas fa-times"></i>
</button>
</div>
</div>
<!-- Main Content --> <!-- Main Content -->
<div id="main-content"> <div id="main-content">
{% block content %}{% endblock %} {% block content %}{% endblock %}
@@ -1542,9 +1763,40 @@
sessionStorage.setItem('backupNotificationDismissed', 'true'); sessionStorage.setItem('backupNotificationDismissed', 'true');
} }
// Check backup status when page loads // AI Scanner Notification Functions
function checkAIScannerStatus() {
// Check if user has dismissed the notification in this session
if (sessionStorage.getItem('aiScannerNotificationDismissed') === 'true') {
return;
}
// Check if we're not already on the AI Scanner page
if (!window.location.href.includes('aiscanner')) {
showAIScannerNotification();
}
}
function showAIScannerNotification() {
const banner = document.getElementById('ai-scanner-notification');
const body = document.body;
banner.classList.add('show');
body.classList.add('ai-scanner-shown');
}
function dismissAIScannerNotification() {
const banner = document.getElementById('ai-scanner-notification');
const body = document.body;
banner.classList.remove('show');
body.classList.remove('ai-scanner-shown');
// Remember dismissal for this session
sessionStorage.setItem('aiScannerNotificationDismissed', 'true');
}
// Check both notification statuses when page loads
document.addEventListener('DOMContentLoaded', function() { document.addEventListener('DOMContentLoaded', function() {
checkBackupStatus(); checkBackupStatus();
// Show AI Scanner notification with a slight delay for better UX
setTimeout(checkAIScannerStatus, 1000);
}); });
</script> </script>