mirror of
https://github.com/usmannasir/cyberpanel.git
synced 2025-11-06 21:35:55 +01:00
Update secMiddleware.py
This commit is contained in:
Master3395
@@ -1,11 +1,11 @@
|
|||||||
# coding=utf-8
|
# coding=utf-8
|
||||||
|
from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
|
||||||
|
from django.shortcuts import HttpResponse, render
|
||||||
import json
|
import json
|
||||||
import re
|
import re
|
||||||
from django.shortcuts import HttpResponse, render
|
|
||||||
from loginSystem.models import Administrator
|
from loginSystem.models import Administrator
|
||||||
|
|
||||||
class secMiddleware:
|
class secMiddleware:
|
||||||
|
|
||||||
HIGH = 0
|
HIGH = 0
|
||||||
LOW = 1
|
LOW = 1
|
||||||
|
|
||||||
@@ -22,7 +22,7 @@ class secMiddleware:
|
|||||||
try:
|
try:
|
||||||
uID = request.session['userID']
|
uID = request.session['userID']
|
||||||
admin = Administrator.objects.get(pk=uID)
|
admin = Administrator.objects.get(pk=uID)
|
||||||
ipAddr = self.get_client_ip(request)
|
ipAddr = get_client_ip(request)
|
||||||
|
|
||||||
if ipAddr.find('.') > -1:
|
if ipAddr.find('.') > -1:
|
||||||
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
|
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
|
||||||
@@ -30,17 +30,19 @@ class secMiddleware:
|
|||||||
else:
|
else:
|
||||||
del request.session['userID']
|
del request.session['userID']
|
||||||
del request.session['ipAddr']
|
del request.session['ipAddr']
|
||||||
|
logging.writeToFile(get_client_ip(request))
|
||||||
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
|
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
|
||||||
"errorMessage": "Session reuse detected, IPAddress logged."}
|
"errorMessage": "Session reuse detected, IPAddress logged."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
return HttpResponse(final_json)
|
return HttpResponse(final_json)
|
||||||
else:
|
else:
|
||||||
ipAddr = self.get_client_ip(request).split(':')[:3]
|
ipAddr = get_client_ip(request).split(':')[:3]
|
||||||
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
|
if request.session['ipAddr'] == ipAddr or admin.securityLevel == secMiddleware.LOW:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
del request.session['userID']
|
del request.session['userID']
|
||||||
del request.session['ipAddr']
|
del request.session['ipAddr']
|
||||||
|
logging.writeToFile(get_client_ip(request))
|
||||||
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
|
final_dic = {'error_message': "Session reuse detected, IPAddress logged.",
|
||||||
"errorMessage": "Session reuse detected, IPAddress logged."}
|
"errorMessage": "Session reuse detected, IPAddress logged."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
@@ -50,6 +52,7 @@ class secMiddleware:
|
|||||||
|
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
try:
|
try:
|
||||||
|
#logging.writeToFile(request.body)
|
||||||
data = json.loads(request.body)
|
data = json.loads(request.body)
|
||||||
for key, value in data.items():
|
for key, value in data.items():
|
||||||
if request.path.find('gitNotify') > -1:
|
if request.path.find('gitNotify') > -1:
|
||||||
@@ -58,10 +61,17 @@ class secMiddleware:
|
|||||||
pass
|
pass
|
||||||
elif type(value) == list:
|
elif type(value) == list:
|
||||||
for items in value:
|
for items in value:
|
||||||
if any(char in items for char in ['$','&','(',')','[',']','{','}',';','‘','<','>']):
|
if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find(
|
||||||
|
'&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \
|
||||||
|
or items.find("`") > -1 or items.find("$") > -1 or items.find(
|
||||||
|
"(") > -1 or items.find(")") > -1 \
|
||||||
|
or items.find("'") > -1 or items.find("[") > -1 or items.find(
|
||||||
|
"]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
|
||||||
|
or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
|
||||||
|
logging.writeToFile(request.body)
|
||||||
final_dic = {
|
final_dic = {
|
||||||
'error_message': "Data supplied is not accepted, following characters are not allowed in the input `$ & ( ) [ ] { } ; : ‘ < >.",
|
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
|
||||||
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input `$ & ( ) [ ] { } ; : ‘ < >."}
|
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
return HttpResponse(final_json)
|
return HttpResponse(final_json)
|
||||||
else:
|
else:
|
||||||
@@ -69,6 +79,7 @@ class secMiddleware:
|
|||||||
|
|
||||||
if key == 'backupDestinations':
|
if key == 'backupDestinations':
|
||||||
if re.match('^[a-z|0-9]+:[a-z|0-9|\.]+\/?[A-Z|a-z|0-9|\.]*$', value) == None and value != 'local':
|
if re.match('^[a-z|0-9]+:[a-z|0-9|\.]+\/?[A-Z|a-z|0-9|\.]*$', value) == None and value != 'local':
|
||||||
|
logging.writeToFile(request.body)
|
||||||
final_dic = {'error_message': "Data supplied is not accepted.",
|
final_dic = {'error_message': "Data supplied is not accepted.",
|
||||||
"errorMessage": "Data supplied is not accepted."}
|
"errorMessage": "Data supplied is not accepted."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
@@ -76,7 +87,7 @@ class secMiddleware:
|
|||||||
|
|
||||||
if request.build_absolute_uri().find(
|
if request.build_absolute_uri().find(
|
||||||
'api/remoteTransfer') > -1 or request.build_absolute_uri().find(
|
'api/remoteTransfer') > -1 or request.build_absolute_uri().find(
|
||||||
'api/verifyConn') >-1 or request.build_absolute_uri().find(
|
'api/verifyConn') > -1 or request.build_absolute_uri().find(
|
||||||
'webhook') > -1 or request.build_absolute_uri().find(
|
'webhook') > -1 or request.build_absolute_uri().find(
|
||||||
'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find(
|
'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find(
|
||||||
'docker') > -1 or request.build_absolute_uri().find(
|
'docker') > -1 or request.build_absolute_uri().find(
|
||||||
@@ -95,10 +106,11 @@ class secMiddleware:
|
|||||||
")") > -1 \
|
")") > -1 \
|
||||||
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
|
or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
|
||||||
"{") > -1 or value.find("}") > -1 \
|
"{") > -1 or value.find("}") > -1 \
|
||||||
or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
|
or value.find(":") > -1 or value.find("<") >-1 or value.find(">") > -1:
|
||||||
|
logging.writeToFile(request.body)
|
||||||
final_dic = {
|
final_dic = {
|
||||||
'error_message': "Data supplied is not accepted, following characters are not allowed in the input `$ & ( ) [ ] { } ; : ‘ < >.",
|
'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
|
||||||
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input `$ & ( ) [ ] { } ; : ‘ < >."}
|
"errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
return HttpResponse(final_json)
|
return HttpResponse(final_json)
|
||||||
if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
|
if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \
|
||||||
@@ -106,8 +118,9 @@ class secMiddleware:
|
|||||||
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
|
or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
|
||||||
"{") > -1 or key.find("}") > -1 \
|
"{") > -1 or key.find("}") > -1 \
|
||||||
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
|
or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
|
||||||
|
logging.writeToFile(request.body)
|
||||||
final_dic = {'error_message': "Data supplied is not accepted.",
|
final_dic = {'error_message': "Data supplied is not accepted.",
|
||||||
"errorMessage": "Data supplied is not accepted following characters are not allowed in the input `$ & ( ) [ ] { } ; : ‘ < >."}
|
"errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}
|
||||||
final_json = json.dumps(final_dic)
|
final_json = json.dumps(final_dic)
|
||||||
return HttpResponse(final_json)
|
return HttpResponse(final_json)
|
||||||
|
|
||||||
@@ -115,6 +128,14 @@ class secMiddleware:
|
|||||||
logging.writeToFile(str(msg))
|
logging.writeToFile(str(msg))
|
||||||
response = self.get_response(request)
|
response = self.get_response(request)
|
||||||
return response
|
return response
|
||||||
|
# else:
|
||||||
|
# try:
|
||||||
|
# if request.path.find('cloudAPI/') > -1 or request.path.find('api/') > -1:
|
||||||
|
# pass
|
||||||
|
# else:
|
||||||
|
# uID = request.session['userID']
|
||||||
|
# except:
|
||||||
|
# return render(request, 'loginSystem/login.html', {})
|
||||||
|
|
||||||
response = self.get_response(request)
|
response = self.get_response(request)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user