Releases: GhostManager/Ghostwriter
Ghostwriter v4.1.0-rc2
Summary
This release includes some enhancements and bug fixes from v4.1.0-rc1.
CHANGELOG
[4.1-rc2] - 15 March 2024
Added
- Added a
getExtraFieldSpec
query to the GraphQL API that returns the extra field specification for a model- This query is useful for extensions that need to know the extra fields available for a model
- Added a note to the WYSIWYG editor to call-out it is possible to access a browser's context menu by using CTRL+right-click
- Added a new
hostname
configuration option to the General Settings in the admin panel- This option allows you to set the hostname for the Ghostwriter server
- The hostname is used to generate links in Slack notifications and other places where a link to the server is needed
Changed
- Default values for extra fields are now set when creating a new entry with empty extra fields
- Default values now appear in the edit forms for the entries
- The default value must be set before creating the entry for it to appear in the form or be set as the default value
Ghostwriter v4.1.0-rc1
Summary
This is a release candidate for Ghostwriter v4.1.0. This version introduces numerous significant changes to Ghostwriter. Deploying this for production use is not recommended at this time. We are providing this release for testing and feedback. Please read about the change below and provide feedback to help us make this a great release!
We will update the Ghostwriter Wiki with documentation for these new features soon. We will publish the documentation when we are close to a final release to avoid any confusion. For now, please direct questions to the team in the #ghostwriter channel in our Slack Workspace (linked on the main README).
CHANGELOG
[4.1.0-rc1] - 22 February 2024
Added
- Added support for creating custom fields for findings, domains, servers, projects, clients, and activity log entries
- Custom field types include text, integer, float, boolean, and formatted text
- Custom fields can be added, edited, and deleted via the admin panel
- Formatted text fields use the WYSIWYG editor for formatting
- Formatting carries over to report templates like formatted text in findings
- Custom fields are available in the report template context
- Added support for using Jinja2 and report context data inside formatted text fields
- You can reference
{{ client.name }}
to insert the client's name into a formatted text field - You can also use Jinja2 filters and functions to manipulate the data (e.g.,
{{ client.name|upper }}
to make the client's name uppercase)
- You can reference
- Added the ability to preview formatted text fields in the interface
- Formatted text fields can be previewed with the new "Preview" button that appears next to them in the interface
- Any evidence referenced in the formatted text field will also be displayed in the preview (rather than just the reference text)
- Jinja2 statements and expressions will appear as text in the preview as these must be evaluated in the report template
- Added support for tables in the WYSIWYG editor (Closes #355)
- Tables use the Table Grid style in the Microsoft Word templates
- Thank you for the contribution, @domwhewell!
- Added support for inserting page breaks in the WYSIWYG editor
- Page breaks carry over to the Microsoft Word templates
- Added an option to "sanitize" activity logs as an alternative to deleting them to remove sensitive information
- Sanitizing an activity log will remove selected data from all log entries in the log
- Added a new library for "observations"
- These observations are similar to findings but much simpler
- The base model includes a title, description, and tags and can be used to track positive observations for a project
- The model is also highly customizable with support for custom fields (see the first item)
- Added user permissions to control who can create, edit, and delete observations in the library
- Added support for footer information (e.g., date, footer text, and slide numbers) in the PowerPoint report templates
- The footer information is set in your slide deck templates
- Added a configuration option for the target report delivery date
- The target date is configured as a number of business days from the project's end date
- Added a report configuration option to enforce title case for captions
- If enabled, this option will enforce title case for all evidence captions in a report
- An accompanying exclusion list allows you to specify words (e.g., articles) that should not be title cased
Changed
- The WYSIWYG editor's toolbar and context menu have been updated to support the new table and page break features and make it easier to apply styles
- Project and report dashboards were redesigned to improve the layout and support the new custom fields
- Report dashboards now display the global report configuration for easier reference
- Added tags to the lists of findings, domains, and servers
- Uploaded evidence files can now be linked to a report rather than a finding
- This change allows evidence files to be used in multiple findings, and the new custom formatted text fields
- When viewing an evidence file, the file contents are now displayed in the interface as they will appear in the report
- This change allows you to preview the evidence file's contents with your border and caption before adding it to a report
- Border width + color and figure label come from the global report configuration in the admin panel
- PowerPoint slide decks now include "Assessment Timeline" and "Observations" slides
- The "Assessment Timeline" slide includes a table pre-populated with the project's start date, end date, and target report delivery date
- The "Observations" slide(s) are similar to the findings slides but for the new observations
- Reworked the reporting engine to reduce complexity and pave the way for future enhancements
- This is mentioned here primarily for developers and integrators who may be working with the reporting engine
Deprecated
- The old "dot" variables used in findings (e.g.,
{{.project_start}}
or{{.client}}
) are no longer necessary and will be removed in a future release- The "dot" variables inserted some data previously unavailable while writing a finding inside Ghostwriter
- The new support for Jinja2 composition inside the WYSIWYG editor makes these old "dot" variables redundant
- The "dot" variables will still work in this release but are no longer referenced in the documentation
- This deprecation does not include
{{.ref }}
or{{.caption }}
which will continue to be used for captioning and creating cross-references references
Ghostwriter v4.0.8
Summary
This release includes some minor bug fixes with enhancements to the GraphQL API to make it easier to automate interactions with project objectives.
CHANGELOG
[4.0.8] - 13 February 2024
Added
- Added GraphQL events to update
deadline
andmarkedComplete
fields for project objectives and tasks when these objects are updated via the GraphQL API - Added a
filter_tags
filter to the reporting engine to allow for filtering findings and other models by their tags
Fixed
- Fixed an issue with the template linter that could cause an error when retrieving undeclared variables under certain conditions
Changed
- Changed the
user
relationship forobjective
toassignedTo
in the GraphQL schema to better reflect the relationship between objectives and users
Ghostwriter v4.0.7
Summary
This release resolves an issue introduced in v4.0.6 that affected accounts with periods in their usernames.
CHANGELOG
[4.0.7] - 31 January 2024
Fixed
Ghostwriter v4.0.6
Summary
This release includes substantial enhancements to the activity log import feature and security fixes.
CHANGELOG
[4.0.6] - 25 January 2024
Fixed
- Fixed an issue with timestamps in the activity log that could cause an error when importing a csv file
Changed
- Activity log imports and exports now include the
entry_identifier
field - Activity log imports now check for duplicate entries based on the
entry_identifier
field and update the existing entry instead of creating a new entry
Security
- Removed the /media location from the Nginx configuration to remove the potential for unauthorized access to uploaded files
- Please see security advisory for details: GHSA-p796-9863-mwx8
- Updated Jinja2 to v3.1.3 to address CVE-2024-22195 (Reference CVE-2024-22195)
Ghostwriter v4.0.5
Summary
This includes some API enhancements and small bug fixes. The API changes should make it easier to automate tasks like project creation via the GraphQL API.
CHANGELOG
[4.0.5] - 12 January 2024
Added
- Added project contacts to the GraphQL schema
- Added user accounts to the GraphQL schema to allow more automation options for project management
- Authenticated accounts can query name, username, email, phone number, and timezone
- Added timezone validation into PostgreSQL to prevent invalid timezones from being saved via the GraphQL API
- Added a new
generateCodename
mutation to the GraphQL API that generates a unique codename for new projects (or whatever else you want to use it for)
Fixed
- Fixed client contacts not loading properly in the drop-down on the project dashboard
Changed
- The
contacts
table is nowclientContact
in the GraphQL API schema for better consistency with other table names - Updated the GraphQL schema data in DOCS to reflect the latest changes
Ghostwriter v4.0.4
Summary
This is a minor release with some bug fixes and small changes.
CHANGELOG
[4.0.4] - 8 January 2024
Added
- Added a new
regex_search
filter for report templates that allows you to search for a regular expression in a string
Fixed
- Fixed an edge case where a manually edited domain could remain marked as expired on the back end and prevent checkout
Security
- Resolved a potential XSS vulnerability with autocomplete for finding titles (Closes #374)
Ghostwriter v4.0.3
Summary
This release includes some quality-of-life improvements and minor adjustments. Happy holidays!
CHANGELOG
[4.0.3] - 15 December 2023
Added
- Added tracking for which VirusTotal scanners have flagged a domain as malicious to the health check task
- Added a new
entry_identifier
field to activity log entries to make it easier to identify entries when using the GraphQL API- The field is an open-ended text field that you can use to track a job ID, UUID, or other identifier for the entry
- The field has no unique constraints at this time, so you can use it to track multiple entries with the same identifier
- Logging extensions like the
cobalt_sync
project use this field to avoid duplicate entries when re-syncing - The field is hidden by default in the Ghostwriter web UI when viewing log entries
Fixed
- Fixed client contacts missing from the dropdown menu after assigning a contact (Fixed #175)
Changed
- Adjusted the wording of the reminder message sent for upcoming domain releases in Slack to make it clear the domain would remain checked out until the end of the project
- Improved the Slack message sent when domain names go from "healthy" to "burned"
- Expanded PowerPoint report generation to include new content with information about team members and objectives
- Removed character limits on log entry fields to allow for longer entries
- This change is most useful for fields that track IP addresses
- This resolves an issue that could arise when using the
mythic_sync
extension to sync logs with Mythic from a server host with multiple NICs and IPv6 addresses
- Updated the pre-built Ghostwriter CLI binaries to v0.2.17
Ghostwriter v4.0.2
Summary
This release includes some small changes to v4.0.0.
CHANGELOG
[4.0.2] - 14 November 2023
Fixed
- Fixed a report rendering error when a report had no findings
- Fixed an issue with search autocomplete and finding titles with single quotes
- Fixed links for editing scope lists and targets accessed from the project dashboard's dropdown menus
Changed
- The WYSIWYG editor will now automatically expand the height of the editor to fit the content as you type (up to the height of the browser window) (Closes #344)
Security
- Updated the TinyMCE WYSIWYG editor to v5.10.8 to incorporate security fixes into Ghostwriter's self-hosted files
Ghostwriter v4.0.1
Summary
This release includes some small changes to v4.0.0.
CHANGELOG
[4.0.1] - 27 September 2023
Added
- Added
short_name
andaddress
fields to the company information for use in report templates (Closes #339)
Fixed
- Fixed the activity log export returning incorrect csv files (Fixes #341)
Changed
- Removed the restriction on backup commands that prevented them from being run on if
postgres
was set as the username (Closes #340)