mirror of
https://github.com/usmannasir/cyberpanel.git
synced 2025-11-09 06:46:10 +01:00
This commit is contained in:
usmannasir
@@ -151,14 +151,26 @@ class secMiddleware:
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
|
||||
if FinalURL.find(
|
||||
'api/remoteTransfer') > -1 or FinalURL.find(
|
||||
'api/verifyConn') > -1 or FinalURL.find(
|
||||
'webhook') > -1 or FinalURL.find(
|
||||
'saveSpamAssassinConfigurations') > -1 or FinalURL.find(
|
||||
'docker') > -1 or FinalURL.find(
|
||||
'cloudAPI') > -1 or FinalURL.find(
|
||||
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
|
||||
# Allow JSON structure characters for API endpoints but keep security checks for dangerous characters
|
||||
isAPIEndpoint = (FinalURL.find('api/remoteTransfer') > -1 or FinalURL.find('api/verifyConn') > -1 or
|
||||
FinalURL.find('webhook') > -1 or FinalURL.find('saveSpamAssassinConfigurations') > -1 or
|
||||
FinalURL.find('docker') > -1 or FinalURL.find('cloudAPI') > -1 or
|
||||
FinalURL.find('verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1 or
|
||||
FinalURL.find('/api/') > -1)
|
||||
|
||||
if isAPIEndpoint:
|
||||
# For API endpoints, still check for the most dangerous command injection characters
|
||||
if (value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or
|
||||
value.find('&&') > -1 or value.find('||') > -1 or value.find('|') > -1 or
|
||||
value.find('...') > -1 or value.find("`") > -1 or value.find("$") > -1 or
|
||||
value.find('../') > -1 or value.find('../../') > -1):
|
||||
logging.writeToFile(request.body)
|
||||
final_dic = {
|
||||
'error_message': "API request contains potentially dangerous characters: `;`, `&&`, `||`, `|`, `` ` ``, `$`, `../` are not allowed.",
|
||||
"errorMessage": "API request contains potentially dangerous characters."
|
||||
}
|
||||
final_json = json.dumps(final_dic)
|
||||
return HttpResponse(final_json)
|
||||
continue
|
||||
if key == 'MainDashboardCSS' or key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \
|
||||
or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\
|
||||
|
||||
128
api/views.py
128
api/views.py
@@ -23,54 +23,138 @@ from userManagment.views import submitUserCreation as suc
|
||||
from userManagment.views import submitUserDeletion as duc
|
||||
# Create your views here.
|
||||
|
||||
def validate_api_input(input_value, field_name="field"):
|
||||
"""
|
||||
Validate API input for security threats while allowing legitimate data
|
||||
Returns tuple: (is_valid, error_message)
|
||||
"""
|
||||
if not isinstance(input_value, str):
|
||||
return True, None
|
||||
|
||||
# Check for command injection patterns
|
||||
dangerous_patterns = [
|
||||
';', '&&', '||', '|', '`', '$',
|
||||
'../', '../../', '\n', '\r',
|
||||
'<script', '</script>', 'javascript:',
|
||||
'eval(', 'exec(', 'system(', 'shell_exec('
|
||||
]
|
||||
|
||||
for pattern in dangerous_patterns:
|
||||
if pattern in input_value:
|
||||
return False, f"{field_name} contains invalid characters or patterns."
|
||||
|
||||
return True, None
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
def verifyConn(request):
|
||||
try:
|
||||
if request.method == 'POST':
|
||||
try:
|
||||
data = json.loads(request.body)
|
||||
adminUser = data['adminUser']
|
||||
adminPass = data['adminPass']
|
||||
|
||||
# Additional security: validate input for dangerous characters
|
||||
is_valid, error_msg = validate_api_input(adminUser, "adminUser")
|
||||
if not is_valid:
|
||||
data_ret = {"verifyConn": 0, 'error_message': error_msg}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=400)
|
||||
|
||||
except (json.JSONDecodeError, KeyError) as e:
|
||||
data_ret = {"verifyConn": 0, 'error_message': "Invalid JSON or missing adminUser/adminPass fields."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=400)
|
||||
|
||||
data = json.loads(request.body)
|
||||
adminUser = data['adminUser']
|
||||
adminPass = data['adminPass']
|
||||
|
||||
admin = Administrator.objects.get(userName=adminUser)
|
||||
try:
|
||||
admin = Administrator.objects.get(userName=adminUser)
|
||||
except Administrator.DoesNotExist:
|
||||
data_ret = {"verifyConn": 0, 'error_message': "Administrator not found."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=404)
|
||||
|
||||
if admin.api == 0:
|
||||
data_ret = {"verifyConn": 0, 'error_message': "API Access Disabled."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data)
|
||||
return HttpResponse(json_data, status=403)
|
||||
|
||||
if hashPassword.check_password(admin.password, adminPass):
|
||||
data_ret = {"verifyConn": 1}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data)
|
||||
else:
|
||||
data_ret = {"verifyConn": 0}
|
||||
data_ret = {"verifyConn": 0, 'error_message': "Invalid password."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data)
|
||||
except BaseException as msg:
|
||||
data_ret = {'verifyConn': 0, 'error_message': str(msg)}
|
||||
return HttpResponse(json_data, status=401)
|
||||
else:
|
||||
data_ret = {"verifyConn": 0, 'error_message': "Only POST method allowed."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=405)
|
||||
except Exception as msg:
|
||||
data_ret = {'verifyConn': 0, 'error_message': f"Internal server error: {str(msg)}"}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data)
|
||||
return HttpResponse(json_data, status=500)
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
def createWebsite(request):
|
||||
data = json.loads(request.body)
|
||||
adminUser = data['adminUser']
|
||||
admin = Administrator.objects.get(userName=adminUser)
|
||||
try:
|
||||
if request.method != 'POST':
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
|
||||
'error_message': "Only POST method allowed."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=405)
|
||||
|
||||
if os.path.exists(ProcessUtilities.debugPath):
|
||||
logging.writeToFile(f'Create website payload in API {str(data)}')
|
||||
try:
|
||||
data = json.loads(request.body)
|
||||
adminUser = data['adminUser']
|
||||
|
||||
# Additional security: validate critical fields for dangerous characters
|
||||
is_valid, error_msg = validate_api_input(adminUser, "adminUser")
|
||||
if not is_valid:
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0, 'error_message': error_msg}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=400)
|
||||
|
||||
# Validate domain name if provided
|
||||
if 'domainName' in data:
|
||||
is_valid, error_msg = validate_api_input(data['domainName'], "domainName")
|
||||
if not is_valid:
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0, 'error_message': error_msg}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=400)
|
||||
|
||||
except (json.JSONDecodeError, KeyError):
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
|
||||
'error_message': "Invalid JSON or missing adminUser field."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=400)
|
||||
|
||||
if admin.api == 0:
|
||||
try:
|
||||
admin = Administrator.objects.get(userName=adminUser)
|
||||
except Administrator.DoesNotExist:
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
|
||||
'error_message': "Administrator not found."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=404)
|
||||
|
||||
if os.path.exists(ProcessUtilities.debugPath):
|
||||
logging.writeToFile(f'Create website payload in API {str(data)}')
|
||||
|
||||
if admin.api == 0:
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
|
||||
'error_message': "API Access Disabled."}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data, status=403)
|
||||
|
||||
wm = WebsiteManager()
|
||||
return wm.createWebsiteAPI(data)
|
||||
except Exception as msg:
|
||||
data_ret = {"existsStatus": 0, 'createWebSiteStatus': 0,
|
||||
'error_message': "API Access Disabled."}
|
||||
'error_message': f"Internal server error: {str(msg)}"}
|
||||
json_data = json.dumps(data_ret)
|
||||
return HttpResponse(json_data)
|
||||
|
||||
wm = WebsiteManager()
|
||||
return wm.createWebsiteAPI(json.loads(request.body))
|
||||
return HttpResponse(json_data, status=500)
|
||||
|
||||
|
||||
@csrf_exempt
|
||||
|
||||
@@ -556,6 +556,205 @@
|
||||
}
|
||||
}
|
||||
|
||||
/* AI Scanner Security Banner */
|
||||
.ai-scanner-banner {
|
||||
position: fixed;
|
||||
top: 80px;
|
||||
left: 260px;
|
||||
right: 0;
|
||||
background: linear-gradient(135deg, #6366f1 0%, #8b5cf6 50%, #a855f7 100%);
|
||||
border-bottom: 2px solid #4f46e5;
|
||||
padding: 16px 30px;
|
||||
z-index: 998;
|
||||
box-shadow: 0 4px 20px rgba(99, 102, 241, 0.25);
|
||||
animation: slideDown 0.4s ease-out;
|
||||
display: none;
|
||||
}
|
||||
|
||||
.ai-scanner-banner.show {
|
||||
display: block;
|
||||
}
|
||||
|
||||
.ai-scanner-content {
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 1.5rem;
|
||||
max-width: 1400px;
|
||||
margin: 0 auto;
|
||||
}
|
||||
|
||||
.ai-scanner-icon {
|
||||
background: rgba(255, 255, 255, 0.2);
|
||||
border-radius: 12px;
|
||||
padding: 12px;
|
||||
backdrop-filter: blur(10px);
|
||||
border: 1px solid rgba(255, 255, 255, 0.3);
|
||||
}
|
||||
|
||||
.ai-scanner-icon i {
|
||||
color: white;
|
||||
font-size: 1.5rem;
|
||||
display: block;
|
||||
}
|
||||
|
||||
.ai-scanner-text {
|
||||
flex: 1;
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
gap: 4px;
|
||||
}
|
||||
|
||||
.ai-scanner-main-text {
|
||||
color: white;
|
||||
font-size: 1rem;
|
||||
font-weight: 600;
|
||||
line-height: 1.4;
|
||||
}
|
||||
|
||||
.ai-scanner-sub-text {
|
||||
color: rgba(255, 255, 255, 0.8);
|
||||
font-size: 0.875rem;
|
||||
font-weight: 400;
|
||||
}
|
||||
|
||||
.ai-scanner-actions {
|
||||
display: flex;
|
||||
gap: 12px;
|
||||
}
|
||||
|
||||
.ai-scanner-btn {
|
||||
background: white;
|
||||
color: #4f46e5;
|
||||
padding: 12px 24px;
|
||||
border-radius: 8px;
|
||||
text-decoration: none;
|
||||
font-weight: 600;
|
||||
font-size: 0.875rem;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
gap: 8px;
|
||||
transition: all 0.3s ease;
|
||||
box-shadow: 0 2px 8px rgba(0, 0, 0, 0.1);
|
||||
position: relative;
|
||||
overflow: hidden;
|
||||
}
|
||||
|
||||
.ai-scanner-btn:hover {
|
||||
background: #f8fafc;
|
||||
color: #4338ca;
|
||||
transform: translateY(-1px);
|
||||
box-shadow: 0 4px 12px rgba(0, 0, 0, 0.15);
|
||||
text-decoration: none;
|
||||
}
|
||||
|
||||
.ai-scanner-btn::before {
|
||||
content: '';
|
||||
position: absolute;
|
||||
top: 0;
|
||||
left: 0;
|
||||
right: 0;
|
||||
bottom: 0;
|
||||
background: linear-gradient(45deg, rgba(255,255,255,0.1), rgba(255,255,255,0.3), rgba(255,255,255,0.1));
|
||||
transform: translateX(-100%);
|
||||
transition: transform 0.6s ease;
|
||||
border-radius: 8px;
|
||||
}
|
||||
|
||||
.ai-scanner-btn:hover::before {
|
||||
transform: translateX(100%);
|
||||
}
|
||||
|
||||
.ai-scanner-btn i {
|
||||
font-size: 0.875rem;
|
||||
}
|
||||
|
||||
.ai-scanner-close {
|
||||
background: rgba(255, 255, 255, 0.1);
|
||||
border: 1px solid rgba(255, 255, 255, 0.2);
|
||||
color: white;
|
||||
font-size: 1rem;
|
||||
cursor: pointer;
|
||||
padding: 8px;
|
||||
border-radius: 6px;
|
||||
transition: all 0.2s ease;
|
||||
backdrop-filter: blur(10px);
|
||||
}
|
||||
|
||||
.ai-scanner-close:hover {
|
||||
background: rgba(255, 255, 255, 0.2);
|
||||
transform: scale(1.05);
|
||||
}
|
||||
|
||||
/* Adjust main content when AI scanner banner is shown */
|
||||
.ai-scanner-shown #main-content {
|
||||
padding-top: 180px;
|
||||
}
|
||||
|
||||
/* Both banners shown */
|
||||
.notification-shown.ai-scanner-shown #main-content {
|
||||
padding-top: 220px;
|
||||
}
|
||||
|
||||
.notification-shown .ai-scanner-banner {
|
||||
top: 130px;
|
||||
}
|
||||
|
||||
/* Mobile responsive styles for AI Scanner banner */
|
||||
@media (max-width: 768px) {
|
||||
.ai-scanner-banner {
|
||||
left: 0;
|
||||
padding: 12px 20px;
|
||||
}
|
||||
|
||||
.ai-scanner-content {
|
||||
gap: 1rem;
|
||||
flex-wrap: wrap;
|
||||
}
|
||||
|
||||
.ai-scanner-text {
|
||||
min-width: 200px;
|
||||
}
|
||||
|
||||
.ai-scanner-main-text {
|
||||
font-size: 0.9rem;
|
||||
}
|
||||
|
||||
.ai-scanner-sub-text {
|
||||
font-size: 0.8rem;
|
||||
}
|
||||
|
||||
.ai-scanner-btn {
|
||||
padding: 10px 20px;
|
||||
font-size: 0.8rem;
|
||||
}
|
||||
|
||||
.ai-scanner-icon {
|
||||
padding: 10px;
|
||||
}
|
||||
|
||||
.ai-scanner-icon i {
|
||||
font-size: 1.25rem;
|
||||
}
|
||||
}
|
||||
|
||||
@media (max-width: 480px) {
|
||||
.ai-scanner-content {
|
||||
flex-direction: column;
|
||||
align-items: stretch;
|
||||
gap: 12px;
|
||||
}
|
||||
|
||||
.ai-scanner-actions {
|
||||
justify-content: center;
|
||||
}
|
||||
|
||||
.ai-scanner-close {
|
||||
position: absolute;
|
||||
top: 8px;
|
||||
right: 8px;
|
||||
}
|
||||
}
|
||||
|
||||
/* Scrollbar */
|
||||
::-webkit-scrollbar {
|
||||
width: 8px;
|
||||
@@ -1429,6 +1628,28 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- AI Scanner Security Notice -->
|
||||
<div id="ai-scanner-notification" class="ai-scanner-banner">
|
||||
<div class="ai-scanner-content">
|
||||
<div class="ai-scanner-icon">
|
||||
<i class="fas fa-brain"></i>
|
||||
</div>
|
||||
<div class="ai-scanner-text">
|
||||
<span class="ai-scanner-main-text">🛡️ Secure your websites with AI-powered malware detection</span>
|
||||
<span class="ai-scanner-sub-text">Advanced threat detection • Real-time scanning • Zero false positives</span>
|
||||
</div>
|
||||
<div class="ai-scanner-actions">
|
||||
<a href="/aiscanner/" class="ai-scanner-btn">
|
||||
<i class="fas fa-rocket"></i>
|
||||
Start AI Security Scan
|
||||
</a>
|
||||
</div>
|
||||
<button class="ai-scanner-close" onclick="dismissAIScannerNotification()">
|
||||
<i class="fas fa-times"></i>
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Main Content -->
|
||||
<div id="main-content">
|
||||
{% block content %}{% endblock %}
|
||||
@@ -1542,9 +1763,40 @@
|
||||
sessionStorage.setItem('backupNotificationDismissed', 'true');
|
||||
}
|
||||
|
||||
// Check backup status when page loads
|
||||
// AI Scanner Notification Functions
|
||||
function checkAIScannerStatus() {
|
||||
// Check if user has dismissed the notification in this session
|
||||
if (sessionStorage.getItem('aiScannerNotificationDismissed') === 'true') {
|
||||
return;
|
||||
}
|
||||
|
||||
// Check if we're not already on the AI Scanner page
|
||||
if (!window.location.href.includes('aiscanner')) {
|
||||
showAIScannerNotification();
|
||||
}
|
||||
}
|
||||
|
||||
function showAIScannerNotification() {
|
||||
const banner = document.getElementById('ai-scanner-notification');
|
||||
const body = document.body;
|
||||
banner.classList.add('show');
|
||||
body.classList.add('ai-scanner-shown');
|
||||
}
|
||||
|
||||
function dismissAIScannerNotification() {
|
||||
const banner = document.getElementById('ai-scanner-notification');
|
||||
const body = document.body;
|
||||
banner.classList.remove('show');
|
||||
body.classList.remove('ai-scanner-shown');
|
||||
// Remember dismissal for this session
|
||||
sessionStorage.setItem('aiScannerNotificationDismissed', 'true');
|
||||
}
|
||||
|
||||
// Check both notification statuses when page loads
|
||||
document.addEventListener('DOMContentLoaded', function() {
|
||||
checkBackupStatus();
|
||||
// Show AI Scanner notification with a slight delay for better UX
|
||||
setTimeout(checkAIScannerStatus, 1000);
|
||||
});
|
||||
</script>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user