Nemcio/CyberPanel
1
0
Fork 0
mirror of https://github.com/usmannasir/cyberpanel.git synced 2025-11-08 14:26:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

address some security concerns

Browse Source
This commit is contained in:
usmannasir
2024-11-03 14:09:52 +05:00
parent d83c5a998d
commit ba0831f626
4 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
CyberCP/secMiddleware.py
View File

@@ -144,7 +144,9 @@ class secMiddleware:
'cloudAPI') > -1 or FinalURL.find( 'cloudAPI') > -1 or FinalURL.find(
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1: 'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
continue continue
if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \
or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\
or key == 'ports' \
or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \ or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
@@ -176,9 +178,10 @@ class secMiddleware:
return HttpResponse(final_json) return HttpResponse(final_json)
except BaseException as msg: except BaseException as msg:
logging.writeToFile(str(msg)) final_dic = {'error_message': f"Error: {str(msg)}",
response = self.get_response(request) "errorMessage": f"Error: {str(msg)}"}
return response final_json = json.dumps(final_dic)
return HttpResponse(final_json)
else: else:
if os.path.exists(ProcessUtilities.debugPath): if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile('Request does not have a body.') logging.writeToFile('Request does not have a body.')
@@ -197,8 +200,7 @@ class secMiddleware:
response['X-Frame-Options'] = "sameorigin" response['X-Frame-Options'] = "sameorigin"
response['Content-Security-Policy'] = "script-src 'self' https://www.jsdelivr.com" response['Content-Security-Policy'] = "script-src 'self' https://www.jsdelivr.com"
response['Content-Security-Policy'] = "connect-src *;" response['Content-Security-Policy'] = "connect-src *;"
response[ response['Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com"
'Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com"
response[ response[
'Content-Security-Policy'] = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net" 'Content-Security-Policy'] = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net"
# response['Content-Security-Policy'] = "default-src 'self' cyberpanel.cloud *.cyberpanel.cloud" # response['Content-Security-Policy'] = "default-src 'self' cyberpanel.cloud *.cyberpanel.cloud"

8
plogical/applicationInstaller.py
View File

@@ -2433,7 +2433,7 @@ class ApplicationInstaller(multi.Thread):
logging.statusWriter(self.tempStatusPath, 'Creating database backup..,10') logging.statusWriter(self.tempStatusPath, 'Creating database backup..,10')
command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp --allow-root --skip-plugins --skip-themes --path={StagingSite.path} db export {self.tempPath}/dbexport-stage.sql' command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp --allow-root --skip-plugins --skip-themes --path={StagingSite.path} db export {self.tempPath}/dbexport-stage.sql'
if ProcessUtilities.executioner(command) == 0: if ProcessUtilities.executioner(command, StagingSite.owner.externalApp) == 0:
raise BaseException('Failed to create database backup of staging site. [404]') raise BaseException('Failed to create database backup of staging site. [404]')
command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp theme path --skip-plugins --skip-themes --allow-root --path={WPSite.path}' command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp theme path --skip-plugins --skip-themes --allow-root --path={WPSite.path}'
@@ -5465,6 +5465,8 @@ class ApplicationInstaller(multi.Thread):
command = f"ls -lh {self.tempPath}/ab" command = f"ls -lh {self.tempPath}/ab"
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1)
if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile(f'Listing files {str(stdout)}') logging.writeToFile(f'Listing files {str(stdout)}')
@@ -5991,7 +5993,7 @@ class ApplicationInstaller(multi.Thread):
#### replace db user #### replace db user
command = f'''sed -i "s/define( 'DB_USER', '.*' );/define( 'DB_USER', '{Finaldbuser}' );/" {WPpath}wp-config.php''' command = f'''sed -i "s/define( 'DB_USER', '.*' );/define( 'DB_USER', '{Finaldbuser}' );/" {WPpath}wp-config.php'''
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1)
if result == 0: if result == 0:
raise BaseException(stdout) raise BaseException(stdout)
@@ -6000,7 +6002,7 @@ class ApplicationInstaller(multi.Thread):
### replace db name ### replace db name
command = f'''sed -i "s/define( 'DB_NAME', '.*' );/define( 'DB_NAME', '{Finaldbname}' );/" {WPpath}wp-config.php''' command = f'''sed -i "s/define( 'DB_NAME', '.*' );/define( 'DB_NAME', '{Finaldbname}' );/" {WPpath}wp-config.php'''
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1)
if result == 0: if result == 0:
raise BaseException(stdout) raise BaseException(stdout)

5
plogical/firewallUtilities.py
View File

@@ -6,7 +6,10 @@ import sys
import django import django
sys.path.append('/usr/local/CyberCP') sys.path.append('/usr/local/CyberCP')
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "CyberCP.settings") os.environ.setdefault("DJANGO_SETTINGS_MODULE", "CyberCP.settings")
django.setup() try:
django.setup()
except:
pass
import plogical.CyberCPLogFileWriter as logging import plogical.CyberCPLogFileWriter as logging
import argparse import argparse

6
websiteFunctions/website.py
View File

@@ -6623,11 +6623,15 @@ StrictHostKeyChecking no
key = data['key'] key = data['key']
pathToKeyFile = "/home/%s/.ssh/authorized_keys" % (domain) pathToKeyFile = "/home/%s/.ssh/authorized_keys" % (domain)
website = Websites.objects.get(domain=domain)
command = f'chown {website.externalApp}:{website.externalApp} {pathToKeyFile}'
ProcessUtilities.outputExecutioner(command)
execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/firewallUtilities.py" execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/firewallUtilities.py"
execPath = execPath + " deleteSSHKey --key '%s' --path %s" % (key, pathToKeyFile) execPath = execPath + " deleteSSHKey --key '%s' --path %s" % (key, pathToKeyFile)
output = ProcessUtilities.outputExecutioner(execPath) output = ProcessUtilities.outputExecutioner(execPath, website.externalApp)
if output.find("1,None") > -1: if output.find("1,None") > -1:
final_dic = {'status': 1, 'delete_status': 1} final_dic = {'status': 1, 'delete_status': 1}