Merge branch '2.4' of github.com:MISP/MISP into 2.4

2020-10-31 21:24:07 +01:00 · 2020-10-31 21:24:07 +01:00 · 1be6225494
parent baf7897c0c 9768fc9bcc
commit 1be6225494
2 changed files with 21 additions and 3 deletions
--- a/app/Controller/ServersController.php
+++ b/app/Controller/ServersController.php
@ -2002,7 +2002,7 @@ class ServersController extends AppController
            'body' => empty($request['body']) ? '' : $request['body'],
            'url' => $request['url'],
            'http_method' => $request['method'],
-            'use_full_path' => $request['use_full_path'],
+            'use_full_path' => empty($request['use_full_path']) ? false : $request['use_full_path'],
            'show_result' => $request['show_result'],
            'skip_ssl' => $request['skip_ssl_validation'],
            'bookmark' => $request['bookmark'],
@ -2010,9 +2010,9 @@ class ServersController extends AppController
            'timestamp' => $date->getTimestamp()
        );
        if (!empty($request['url'])) {
-            if (empty($request['use_full_path'])) {
+            if (empty($request['use_full_path']) || empty(Configure::read('Security.rest_client_enable_arbitrary_urls'))) {
                $path = preg_replace('#^(://|[^/?])+#', '', $request['url']);
-                $url = Configure::read('MISP.baseurl') . $path;
+                $url = empty(Configure::read('Security.rest_client_baseurl')) ? (Configure::read('MISP.baseurl') . $path) : (Configure::read('Security.rest_client_baseurl') . $path);
                unset($request['url']);
            } else {
                $url = $request['url'];
@ -2082,6 +2082,7 @@ class ServersController extends AppController
        }
        $view_data['duration'] = microtime(true) - $start;
        $view_data['duration'] = round($view_data['duration'] * 1000, 2) . 'ms';
+        $view_data['url'] = $url;
        $view_data['code'] =  $response->code;
        $view_data['headers'] = $response->headers;
        if (!empty($request['show_result'])) {
--- a/app/Model/Server.php
+++ b/app/Model/Server.php
@ -1309,6 +1309,23 @@ class Server extends AppModel
                                'editable' => false,
                                'redacted' => true
                        ),
+                        'rest_client_enable_arbitrary_urls' => array(
+                            'level' => 0,
+                            'description' => __('Enable this setting if you wish for users to be able to query any arbitrary URL via the rest client. Keep in mind that queries are executed by the MISP server, so internal IPs in your MISP\'s network may be reachable.'),
+                            'value' => false,
+                            'errorMessage' => '',
+                            'test' => 'testBool',
+                            'type' => 'boolean',
+                            'null' => true
+                        ),
+                        'rest_client_baseurl' => array(
+                            'level' => 1,
+                            'description' => __('If left empty, the baseurl of your MISP is used. However, in some instances (such as port-forwarded VM installations) this will not work. You can override the baseurl with a url through which your MISP can reach itself (typically https://127.0.0.1 would work).'),
+                            'value' => false,
+                            'errorMessage' => '',
+                            'test' => null,
+                            'type' => 'string',
+                        ),
                        'syslog' => array(
                            'level' => 0,
                            'description' => __('Enable this setting to pass all audit log entries directly to syslog. Keep in mind, this is verbose and will include user, organisation, event data.'),