security improvments

usmannasir · Jan 22, 2024 · 01e7fa6 · 01e7fa6
1 parent d115168
commit 01e7fa6
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 33 deletions.
diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py
@@ -1,4 +1,6 @@
 # coding=utf-8
+import os.path
+
 from plogical.CyberCPLogFileWriter import CyberCPLogFileWriter as logging
 from django.shortcuts import HttpResponse, render
 import json
@@ -51,8 +53,19 @@ def __call__(self, request):
         except:
             pass
 
+        from plogical.processUtilities import ProcessUtilities
+
+        if os.path.exists(ProcessUtilities.debugPath):
+            logging.writeToFile(request.build_absolute_uri())
+
+        FinalURL = request.build_absolute_uri().split('?')[0]
+
+        if os.path.exists(ProcessUtilities.debugPath):
+            logging.writeToFile(f'Final actual URL without QS {FinalURL}')
+
         if request.method == 'POST':
             try:
+
                 # logging.writeToFile(request.body)
                 data = json.loads(request.body)
                 for key, value in data.items():
@@ -68,7 +81,7 @@ def __call__(self, request):
                                 "(") > -1 or items.find(")") > -1 \
                                     or items.find("'") > -1 or items.find("[") > -1 or items.find(
                                 "]") > -1 or items.find("{") > -1 or items.find("}") > -1 \
-                                    or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1:
+                                    or items.find(":") > -1 or items.find("<") > -1 or items.find(">") > -1 or items.find("&") > -1:
                                 logging.writeToFile(request.body)
                                 final_dic = {
                                     'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
@@ -87,14 +100,14 @@ def __call__(self, request):
                             final_json = json.dumps(final_dic)
                             return HttpResponse(final_json)
 
-                    if request.build_absolute_uri().find(
-                            'api/remoteTransfer') > -1 or request.build_absolute_uri().find(
-                        'api/verifyConn') > -1 or request.build_absolute_uri().find(
-                        'webhook') > -1 or request.build_absolute_uri().find(
-                        'saveSpamAssassinConfigurations') > -1 or request.build_absolute_uri().find(
-                        'docker') > -1 or request.build_absolute_uri().find(
-                        'cloudAPI') > -1 or request.build_absolute_uri().find(
-                        'verifyLogin') > -1 or request.build_absolute_uri().find('submitUserCreation') > -1:
+                    if FinalURL.find(
+                            'api/remoteTransfer') > -1 or FinalURL.find(
+                        'api/verifyConn') > -1 or FinalURL.find(
+                        'webhook') > -1 or FinalURL.find(
+                        'saveSpamAssassinConfigurations') > -1 or FinalURL.find(
+                        'docker') > -1 or FinalURL.find(
+                        'cloudAPI') > -1 or FinalURL.find(
+                        'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
                         continue
                     if key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
                             or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
@@ -108,7 +121,7 @@ def __call__(self, request):
                         ")") > -1 \
                             or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
                         "{") > -1 or value.find("}") > -1 \
-                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                            or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
                         logging.writeToFile(request.body)
                         final_dic = {
                             'error_message': "Data supplied is not accepted, following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >.",
@@ -119,7 +132,7 @@ def __call__(self, request):
                             or key.find("`") > -1 or key.find("$") > -1 or key.find("(") > -1 or key.find(")") > -1 \
                             or key.find("'") > -1 or key.find("[") > -1 or key.find("]") > -1 or key.find(
                         "{") > -1 or key.find("}") > -1 \
-                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1:
+                            or key.find(":") > -1 or key.find("<") > -1 or key.find(">") > -1 or key.find("&") > -1:
                         logging.writeToFile(request.body)
                         final_dic = {'error_message': "Data supplied is not accepted.",
                                      "errorMessage": "Data supplied is not accepted following characters are not allowed in the input ` $ & ( ) [ ] { } ; : ‘ < >."}

diff --git a/api/views.py b/api/views.py
@@ -535,11 +535,10 @@ def FetchRemoteTransferStatus(request):
             dir = "/home/backup/transfer-"+str(data['dir'])+"/backup_log"
 
             try:
-                command = f"cat {dir}"
-                status = ProcessUtilities.outputExecutioner(command)
-
 
                 if hashPassword.check_password(admin.password, password):
+                    command = f"cat {dir}"
+                    status = ProcessUtilities.outputExecutioner(command)
 
                     final_json = json.dumps({'fetchStatus': 1, 'error_message': "None", "status": status})
                     return HttpResponse(final_json)

diff --git a/cloudAPI/cloudManager.py b/cloudAPI/cloudManager.py
@@ -344,6 +344,12 @@ def issueSSL(self, request):
     def statusFunc(self):
         try:
             statusFile = self.data['statusFile']
+
+            if not statusFile.startswith('/home/cyberpanel'):
+                data_ret = {'status': 0, 'abort': 0, 'installationProgress': "0", }
+                json_data = json.dumps(data_ret)
+                return HttpResponse(json_data)
+
             statusData = open(statusFile, 'r').readlines()
             try:
                 lastLine = statusData[-1]

diff --git a/cloudAPI/views.py b/cloudAPI/views.py
@@ -24,13 +24,11 @@ def router(request):
         if admin.api == 0:
             return cm.ajaxPre(0, 'API Access Disabled.')
 
-        if controller == 'statusFunc':
+        if cm.verifyLogin(request)[0] == 1:
             pass
         else:
-            if cm.verifyLogin(request)[0] == 1:
-                pass
-            else:
-                return cm.verifyLogin(request)[1]
+            return cm.verifyLogin(request)[1]
+
 
         ## Debug Log
 

diff --git a/filemanager/views.py b/filemanager/views.py
@@ -144,7 +144,7 @@ def upload(request):
             else:
                 return ACLManager.loadErrorJson()
         except:
-            pass
+            return ACLManager.loadErrorJson()
 
         fm = FM(request, data)
         return fm.upload()

diff --git a/plogical/acl.py b/plogical/acl.py
@@ -147,7 +147,7 @@ def commandInjectionCheck(value):
                     or value.find("`") > -1 or value.find("$") > -1 or value.find("(") > -1 or value.find(")") > -1 \
                     or value.find("'") > -1 or value.find("[") > -1 or value.find("]") > -1 or value.find(
                 "{") > -1 or value.find("}") > -1 \
-                    or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1:
+                    or value.find(":") > -1 or value.find("<") > -1 or value.find(">") > -1 or value.find("&") > -1:
                 return 1
             else:
                 return 0

diff --git a/plogical/hashPassword.py b/plogical/hashPassword.py
@@ -1,18 +1,35 @@
-import uuid
-import hashlib
+# import uuid
+# import hashlib
+# import base64
+#
+# def hash_password(password):
+#     # uuid is used to generate a random number
+#     salt = uuid.uuid4().hex
+#     return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
+#
+#
+# def check_password(hashed_password, user_password):
+#     password, salt = hashed_password.split(':')
+#     return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
+#
+# def generateToken(serverUserName, serverPassword):
+#     credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
+#     encoded_credentials = base64.b64encode(credentials).decode()
+#     return 'Basic {0}'.format(encoded_credentials)
+
+
+import bcrypt
 import base64
+import secrets
 
 def hash_password(password):
-    # uuid is used to generate a random number
-    salt = uuid.uuid4().hex
-    return hashlib.sha256(salt.encode() + password.encode()).hexdigest() + ':' + salt
-
+    salt = bcrypt.gensalt()
+    hashed_password = bcrypt.hashpw(password.encode(), salt)
+    return hashed_password.decode()
 
 def check_password(hashed_password, user_password):
-    password, salt = hashed_password.split(':')
-    return password == hashlib.sha256(salt.encode() + user_password.encode()).hexdigest()
+    return bcrypt.checkpw(user_password.encode(), hashed_password.encode())
 
-def generateToken(serverUserName, serverPassword):
-    credentials = '{0}:{1}'.format(serverUserName, serverPassword).encode()
-    encoded_credentials = base64.b64encode(credentials).decode()
-    return 'Basic {0}'.format(encoded_credentials)
+def generate_token():
+    token = base64.urlsafe_b64encode(secrets.token_bytes(32)).decode()
+    return token