MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [internal] Security setting force_https

pull/7150/head
Jakub Onderka 2021-03-03 20:06:25 +01:00
parent e394cfbe66
commit 2a8ba9020f
3 changed files with 42 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/Controller/AppController.php
View File

@ -94,26 +94,19 @@ class AppController extends Controller
public function beforeFilter()
{
$this->_setupBaseurl();
$this->Auth->loginRedirect = $this->baseurl. '/users/routeafterlogin';
$this->Auth->loginRedirect = $this->baseurl . '/users/routeafterlogin';
$customLogout = Configure::read('Plugin.CustomAuth_custom_logout');
$this->Auth->logoutRedirect = $customLogout ?: ($this->baseurl . '/users/login');
$this->__sessionMassage();
if (Configure::read('Security.allow_cors')) {
// Add CORS headers
$this->response->cors($this->request,
explode(',', Configure::read('Security.cors_origins')),
['*'],
['Origin', 'Content-Type', 'Authorization', 'Accept']);
if ($this->request->is('options')) {
// Stop here!
// CORS only needs the headers
$this->response->send();
$this->_stop();
}
// If server is running behind reverse proxy, PHP will not recognize that user is accessing site by HTTPS connection.
// By setting `Security.force_https` to `true`, session cookie will be set as Secure and CSP headers will upgrade insecure requests.
if (Configure::read('Security.force_https')) {
$_SERVER['HTTPS'] = 'on';
}
$this->__cors();
if (Configure::read('Security.check_sec_fetch_site_header')) {
$secFetchSite = $this->request->header('Sec-Fetch-Site');
if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
@ -740,6 +733,24 @@ class AppController extends Controller
$this->response->header($header, implode('; ', $header));
}
private function __cors()
{
if (Configure::read('Security.allow_cors')) {
// Add CORS headers
$this->response->cors($this->request,
explode(',', Configure::read('Security.cors_origins')),
['*'],
['Origin', 'Content-Type', 'Authorization', 'Accept']);
if ($this->request->is('options')) {
// Stop here!
// CORS only needs the headers
$this->response->send();
$this->_stop();
}
}
}
private function __rateLimitCheck()
{
$info = array();

11
app/Lib/Tools/SecurityAudit.php
View File

@ -77,8 +77,15 @@ class SecurityAudit
'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
];
}
if (Configure::read('Security.disable_form_security')) {
$output['Browser'][] = ['error', __('Disabling form security is never a good idea.')];
if (!env('HTTPS') && strpos(Configure::read('MISP.baseurl'), 'https://') === 0) {
$output['Browser'][] = [
'error',
__('MISP base URL is set to https://, but MISP things that the connection is insecure. This usually happens when server is running behind reverse proxy. By setting `Security.force_https` to `true`, session cookie will be set as Secure and CSP headers will upgrade insecure requests.'),
];
}
$sessionConfig = Configure::read('Session');
if (isset($sessionConfig['ini']['session.cookie_secure']) && !$sessionConfig['ini']['session.cookie_secure']) {
$output['Browser'][] = ['error', __('Setting session cookie is not secure is never good idea.')];
}
if (empty(Configure::read('Security.advanced_authkeys'))) {

9
app/Model/Server.php
View File

@ -5693,6 +5693,15 @@ class Server extends AppModel
'type' => 'boolean',
'null' => true,
],
'force_https' => [
'level' => self::SETTING_OPTIONAL,
'description' => __('If enabled, MISP server will consider all requests as secure. This is usually useful when you run MISP behind reverse proxy that terminates HTTPS.'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true,
],
'email_otp_enabled' => array(
'level'=> 2,
'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),