Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-06 13:25:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

security fix for git manager

Browse Source
This commit is contained in:
Usman Nasir
2020-03-15 21:34:26 +05:00
parent dbb29b11b7
commit 49087440a9
4 changed files with 95 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
plogical/acl.py
View File

@@ -8,15 +8,26 @@ from loginSystem.models import Administrator, ACL
from django.shortcuts import HttpResponse from django.shortcuts import HttpResponse
from packages.models import Package from packages.models import Package
from websiteFunctions.models import Websites, ChildDomains from websiteFunctions.models import Websites, ChildDomains
from dns.models import Domains
import json import json
from subprocess import call, CalledProcessError from subprocess import call, CalledProcessError
from shlex import split from shlex import split
from .CyberCPLogFileWriter import CyberCPLogFileWriter as logging from .CyberCPLogFileWriter import CyberCPLogFileWriter as logging
from dockerManager.models import Containers from dockerManager.models import Containers
from re import M, I, compile
class ACLManager: class ACLManager:
@staticmethod
def validateInput(value, regex = None):
if regex == None:
verifier = compile(r'[\sa-zA-Z0-9_-]+')
else:
verifier = regex
if verifier.match(value):
return 1
else:
return 0
@staticmethod @staticmethod
def commandInjectionCheck(value): def commandInjectionCheck(value):
try: try:

9
plogical/test.py
View File

@@ -0,0 +1,9 @@
import re
verifer = re.compile(r'[a-zA-Z0-9_-]+')
if verifer.match('Helloworld'):
print ('hello world')
else:
print('not hello world')

4
websiteFunctions/templates/websiteFunctions/manageGIT.html
View File

@@ -700,8 +700,8 @@
</div> </div>
</div> </div>
<img title="Delete this commit." ng-click="deleteRecord(record.id)" <!--<img title="Delete this commit." ng-click="deleteRecord(record.id)"
src="{% static 'images/delete.png' %}"> src="{% static 'images/delete.png' %}"> -->
</td> </td>
</tr> </tr>

82
websiteFunctions/website.py
View File

@@ -2938,14 +2938,14 @@ StrictHostKeyChecking no
gitPath = '%s/.git' % (self.folder) gitPath = '%s/.git' % (self.folder)
command = 'ls -la %s' % (gitPath) command = 'ls -la %s' % (gitPath)
if ProcessUtilities.outputExecutioner(command, self.externalApp).find('No such file or directory') > -1: if ProcessUtilities.outputExecutioner(command).find('No such file or directory') > -1:
command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp) command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp)
deploymentKey = ProcessUtilities.outputExecutioner(command) deploymentKey = ProcessUtilities.outputExecutioner(command)
if deploymentKey.find('No such file or directory') > -1: if deploymentKey.find('No such file or directory') > -1:
command = "ssh-keygen -f /home/%s/.ssh/%s -t rsa -N ''" % (self.domain, website.externalApp) command = "ssh-keygen -f /home/%s/.ssh/%s -t rsa -N ''" % (self.domain, website.externalApp)
ProcessUtilities.executioner(command) ProcessUtilities.executioner(command, website.externalApp)
command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp) command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp)
deploymentKey = ProcessUtilities.outputExecutioner(command) deploymentKey = ProcessUtilities.outputExecutioner(command)
@@ -2971,7 +2971,7 @@ StrictHostKeyChecking no
if deploymentKey.find('No such file or directory') > -1: if deploymentKey.find('No such file or directory') > -1:
command = "ssh-keygen -f /home/%s/.ssh/%s -t rsa -N ''" % (self.domain, website.externalApp) command = "ssh-keygen -f /home/%s/.ssh/%s -t rsa -N ''" % (self.domain, website.externalApp)
ProcessUtilities.executioner(command) ProcessUtilities.executioner(command, website.externalApp)
command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp) command = 'cat /home/%s/.ssh/%s.pub' % (self.domain, website.externalApp)
deploymentKey = ProcessUtilities.outputExecutioner(command) deploymentKey = ProcessUtilities.outputExecutioner(command)
@@ -3032,16 +3032,16 @@ StrictHostKeyChecking no
website = Websites.objects.get(domain=self.domain) website = Websites.objects.get(domain=self.domain)
command = 'git -C %s init' % (self.folder) command = 'git -C %s init' % (self.folder)
result = ProcessUtilities.outputExecutioner(command ) result = ProcessUtilities.outputExecutioner(command)
if result.find('Initialized empty Git repository in') > -1: if result.find('Initialized empty Git repository in') > -1:
command = 'git -C %s config --local user.email %s' % (self.folder, website.adminEmail) command = 'git -C %s config --local user.email %s' % (self.folder, website.adminEmail)
ProcessUtilities.executioner(command ) ProcessUtilities.executioner(command)
command = 'git -C %s config --local user.name "%s %s"' % ( command = 'git -C %s config --local user.name "%s %s"' % (
self.folder, website.admin.firstName, website.admin.lastName) self.folder, website.admin.firstName, website.admin.lastName)
ProcessUtilities.executioner(command ) ProcessUtilities.executioner(command)
data_ret = {'status': 1} data_ret = {'status': 1}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
@@ -3073,11 +3073,18 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson('status', 0) return ACLManager.loadErrorJson('status', 0)
## Security checks
if self.folderCheck(): if self.folderCheck():
pass pass
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
if validators.domain(self.gitHost) and ACLManager.validateInput(self.gitUsername) and ACLManager.validateInput(self.gitReponame):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
### set default ssh key ### set default ssh key
externalApp = Websites.objects.get(domain=self.domain).externalApp externalApp = Websites.objects.get(domain=self.domain).externalApp
@@ -3138,6 +3145,13 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
## Security check
if ACLManager.validateInput(self.branchName):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
if self.branchName.find('*') > -1: if self.branchName.find('*') > -1:
data_ret = {'status': 0, 'commandStatus': 'Already on this branch.', 'error_message': 'Already on this branch.'} data_ret = {'status': 0, 'commandStatus': 'Already on this branch.', 'error_message': 'Already on this branch.'}
@@ -3181,6 +3195,15 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
## Security check
if ACLManager.validateInput(self.newBranchName):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
##
command = 'git -C %s checkout -b "%s"' % (self.folder, self.newBranchName) command = 'git -C %s checkout -b "%s"' % (self.folder, self.newBranchName)
commandStatus = ProcessUtilities.outputExecutioner(command ) commandStatus = ProcessUtilities.outputExecutioner(command )
@@ -3218,6 +3241,13 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
# security check
if ACLManager.validateInput(self.commitMessage):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
## Check if remote exists ## Check if remote exists
command = 'git -C %s add -A' % (self.folder) command = 'git -C %s add -A' % (self.folder)
@@ -3313,16 +3343,16 @@ StrictHostKeyChecking no
command = 'git -C %s config --local core.sshCommand "ssh -i /home/%s/.ssh/%s -o "StrictHostKeyChecking=no""' % ( command = 'git -C %s config --local core.sshCommand "ssh -i /home/%s/.ssh/%s -o "StrictHostKeyChecking=no""' % (
self.folder, self.domain, externalApp) self.folder, self.domain, externalApp)
ProcessUtilities.executioner(command ) ProcessUtilities.executioner(command)
## ##
command = 'git -C %s push' % (self.folder) command = 'git -C %s push' % (self.folder)
commandStatus = ProcessUtilities.outputExecutioner(command ) commandStatus = ProcessUtilities.outputExecutioner(command)
if commandStatus.find('has no upstream branch') > -1: if commandStatus.find('has no upstream branch') > -1:
command = 'git -C %s rev-parse --abbrev-ref HEAD' % (self.folder) command = 'git -C %s rev-parse --abbrev-ref HEAD' % (self.folder)
currentBranch = ProcessUtilities.outputExecutioner(command ).rstrip('\n') currentBranch = ProcessUtilities.outputExecutioner(command).rstrip('\n')
if currentBranch.find('fatal: ambiguous argument') > -1: if currentBranch.find('fatal: ambiguous argument') > -1:
data_ret = {'status': 0, 'error_message': 'You need to commit first.', 'commandStatus': 'You need to commit first.'} data_ret = {'status': 0, 'error_message': 'You need to commit first.', 'commandStatus': 'You need to commit first.'}
@@ -3330,7 +3360,7 @@ StrictHostKeyChecking no
return HttpResponse(json_data) return HttpResponse(json_data)
command = 'git -C %s push --set-upstream origin %s' % (self.folder, currentBranch) command = 'git -C %s push --set-upstream origin %s' % (self.folder, currentBranch)
commandStatus = ProcessUtilities.outputExecutioner(command ) commandStatus = ProcessUtilities.outputExecutioner(command)
if commandStatus.find('Everything up-to-date') == -1 and commandStatus.find('rejected') == -1: if commandStatus.find('Everything up-to-date') == -1 and commandStatus.find('rejected') == -1:
data_ret = {'status': 1, 'commandStatus': commandStatus} data_ret = {'status': 1, 'commandStatus': commandStatus}
@@ -3374,6 +3404,15 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
## Security check
if validators.domain(self.gitHost) and ACLManager.validateInput(self.gitUsername) and ACLManager.validateInput(self.gitReponame):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
##
if self.overrideData: if self.overrideData:
command = 'rm -rf %s' % (self.folder) command = 'rm -rf %s' % (self.folder)
@@ -3477,7 +3516,7 @@ StrictHostKeyChecking no
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
command = 'cat %s/.gitignore' % (self.folder) command = 'cat %s/.gitignore' % (self.folder)
gitIgnoreContent = ProcessUtilities.outputExecutioner(command ) gitIgnoreContent = ProcessUtilities.outputExecutioner(command, self.externalApp)
if gitIgnoreContent.find('No such file or directory') > -1: if gitIgnoreContent.find('No such file or directory') > -1:
gitIgnoreContent = 'File is currently empty.' gitIgnoreContent = 'File is currently empty.'
@@ -3587,6 +3626,11 @@ StrictHostKeyChecking no
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
return HttpResponse(json_data) return HttpResponse(json_data)
except IndexError:
data_ret = {'status': 0, 'error_message': 'No commits found.'}
json_data = json.dumps(data_ret)
return HttpResponse(json_data)
except BaseException as msg: except BaseException as msg:
data_ret = {'status': 0, 'error_message': str(msg)} data_ret = {'status': 0, 'error_message': str(msg)}
json_data = json.dumps(data_ret) json_data = json.dumps(data_ret)
@@ -3612,6 +3656,15 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
## Security check
if ACLManager.validateInput(self.commit):
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
##
command = 'git -C %s diff-tree --no-commit-id --name-only -r %s' % (self.folder, self.commit) command = 'git -C %s diff-tree --no-commit-id --name-only -r %s' % (self.folder, self.commit)
files = ProcessUtilities.outputExecutioner(command).split('\n') files = ProcessUtilities.outputExecutioner(command).split('\n')
@@ -3645,6 +3698,13 @@ StrictHostKeyChecking no
else: else:
return ACLManager.loadErrorJson() return ACLManager.loadErrorJson()
## security check
if ACLManager.validateInput(self.commit) and self.file.find('..') == -1:
pass
else:
return ACLManager.loadErrorJson('status', 'Invalid characters in your input.')
command = 'git -C %s show %s -- %s/%s' % (self.folder, self.commit, self.folder, self.file.strip('\n').strip(' ')) command = 'git -C %s show %s -- %s/%s' % (self.folder, self.commit, self.folder, self.file.strip('\n').strip(' '))
fileChangedContent = ProcessUtilities.outputExecutioner(command).split('\n') fileChangedContent = ProcessUtilities.outputExecutioner(command).split('\n')