diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 0887e9297..8aa39b79e 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -60,18 +60,7 @@ class secMiddleware: break if type(value) == str or type(value) == bytes: pass - else: - continue - - if key == 'backupDestinations': - if re.match('^[a-z|0-9]+:[a-z|0-9|\.]+\/?[A-Z|a-z|0-9|\.]*$', value) == None and value != 'local': - logging.writeToFile(request.body) - final_dic = {'error_message': "Data supplied is not accepted.", - "errorMessage": "Data supplied is not accepted."} - final_json = json.dumps(final_dic) - return HttpResponse(final_json) - - if type(value) == list: + elif type(value) == list: for items in value: if items.find('- -') > -1 or items.find('\n') > -1 or items.find(';') > -1 or items.find( '&&') > -1 or items.find('|') > -1 or items.find('...') > -1 \ @@ -87,31 +76,55 @@ class secMiddleware: final_json = json.dumps(final_dic) return HttpResponse(final_json) else: - if request.build_absolute_uri().find('api/remoteTransfer') > -1 or request.build_absolute_uri().find('api/verifyConn') > -1 or request.build_absolute_uri().find('webhook') > -1 or request.build_absolute_uri().find('saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find('docker') > -1 or request.build_absolute_uri().find('cloudAPI') > -1 or request.build_absolute_uri().find('verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1: - continue - if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ - or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \ - or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ - or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ - or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow': - continue - if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find('&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ - or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \ - or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find("{") > -1 or value.find("}") > -1\ - or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + continue + + if key == 'backupDestinations': + if re.match('^[a-z|0-9]+:[a-z|0-9|\.]+\/?[A-Z|a-z|0-9|\.]*$', value) == None and value != 'local': logging.writeToFile(request.body) - final_dic = {'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", - "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} - final_json = json.dumps(final_dic) - return HttpResponse(final_json) - if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \ - or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ - or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find("{") > -1 or key.find("}") > -1\ - or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1: - logging.writeToFile(request.body) - final_dic = {'error_message': "Data supplied is not accepted.", "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_dic = {'error_message': "Data supplied is not accepted.", + "errorMessage": "Data supplied is not accepted."} final_json = json.dumps(final_dic) return HttpResponse(final_json) + + if request.build_absolute_uri().find( + 'api/remoteTransfer') > -1 or request.build_absolute_uri().find( + 'api/verifyConn') > -1 or request.build_absolute_uri().find( + 'webhook') > -1 or request.build_absolute_uri().find( + 'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find( + 'docker') > -1 or request.build_absolute_uri().find( + 'cloudAPI') > -1 or request.build_absolute_uri().find( + 'verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1: + continue + if key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ + or key == 'imageByPass' or key == 'passwordByPass' or key == 'cronCommand' \ + or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ + or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ + or key == 'fileContent' or key == 'commands' or key == 'gitHost' or key == 'ipv6' or key == 'contentNow': + continue + if value.find('- -') > -1 or value.find('\n') > -1 or value.find(';') > -1 or value.find( + '&&') > -1 or value.find('|') > -1 or value.find('...') > -1 \ + or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find( + ")") > -1 \ + or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find( + "{") > -1 or value.find("}") > -1 \ + or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1: + logging.writeToFile(request.body) + final_dic = { + 'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.", + "errorMessage": "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) + if key.find(';') > -1 or key.find('&&') > -1 or key.find('|') > -1 or key.find('...') > -1 \ + or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \ + or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find( + "{") > -1 or key.find("}") > -1 \ + or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1: + logging.writeToFile(request.body) + final_dic = {'error_message': "Data supplied is not accepted.", + "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) + except BaseException as msg: logging.writeToFile(str(msg)) response = self.get_response(request) diff --git a/plogical/test.py b/plogical/test.py index 380d3040c..e69de29bb 100644 --- a/plogical/test.py +++ b/plogical/test.py @@ -1,16 +0,0 @@ -hey = ['hey', 'aaa', 'aaa', 'adssad'] -aaa='aaa' -print(type(hey)) -print(type(aaa)) -print(hasattr(hey, "__len__")) -print(hasattr(aaa, "__len__")) - -if type(hey) == list: - print('list') -else: - print('hey not list') - -if type(aaa) == list: - print('aaa') -else: - print('aaa not list') \ No newline at end of file