mirror of https://github.com/MISP/MISP
chg: [security] Added setting to restrict the encoding of local feeds
- By adding local feeds, a malicious administrator could point MISP to ingest configuration files that the apache user has access to - This includes some more sensitive files (database.php / config.php / .gnupg data) - Whilst this is currently not leading to an exploitable vulnerability as the current implementation wouldn't trigger on the values, having a setting to disable this will become much more interesting once we have a system in place for custom feed parsers - The setting can only be enabled/disabled via the CLI - As reported by Matthias Weckbeckerpull/5746/head
parent
88331dad92
commit
30ff4b6451
|
@ -246,7 +246,7 @@ class FeedsController extends AppController
|
|||
$this->Flash->success($message);
|
||||
$this->redirect(array('controller' => 'feeds', 'action' => 'index'));
|
||||
} else {
|
||||
$message = __('Feed could not be added. Invalid field: %s', array_keys($this->Feed->validationErrors)[0]);
|
||||
$message = __('Feed could not be added. Reason: %s', json_encode($this->Feed->validationErrors));
|
||||
if ($this->_isRest()) {
|
||||
return $this->RestResponse->saveFailResponse('Feeds', 'add', false, $message, $this->response->type());
|
||||
}
|
||||
|
@ -345,7 +345,7 @@ class FeedsController extends AppController
|
|||
$this->Flash->success($message);
|
||||
$this->redirect(array('controller' => 'feeds', 'action' => 'index'));
|
||||
} else {
|
||||
$message = __('Feed could not be updated. Invalid fields: %s', implode(', ', array_keys($this->Feed->validationErrors)));
|
||||
$message = __('Feed could not be updated. Reason: %s', json_encode($this->Feed->validationErrors));
|
||||
if ($this->_isRest()) {
|
||||
return $this->RestResponse->saveFailResponse('Feeds', 'add', false, $message, $this->response->type());
|
||||
}
|
||||
|
|
|
@ -31,6 +31,10 @@ class Feed extends AppModel
|
|||
'event_id' => array(
|
||||
'rule' => array('numeric'),
|
||||
'message' => 'Please enter a numeric event ID or leave this field blank.',
|
||||
),
|
||||
'input_source' => array(
|
||||
'rule' => 'validateInputSource',
|
||||
'message' => ''
|
||||
)
|
||||
);
|
||||
|
||||
|
@ -47,6 +51,27 @@ class Feed extends AppModel
|
|||
)
|
||||
);
|
||||
|
||||
public function validateInputSource($fields)
|
||||
{
|
||||
if (!empty($this->data['Feed']['input_source'])) {
|
||||
$localAllowed = empty(Configure::read('Security.disable_local_feed_access'));
|
||||
$validOptions = array('network');
|
||||
if ($localAllowed) {
|
||||
$validOptions[] = 'local';
|
||||
}
|
||||
if (!in_array($this->data['Feed']['input_source'], $validOptions)) {
|
||||
return __(
|
||||
'Invalid input source. The only valid options are %s. %s',
|
||||
implode(', ', $validOptions),
|
||||
(!$localAllowed && $this->data['Feed']['input_source'] === 'local') ?
|
||||
__('Security.disable_local_feed_access is currently enabled, local feeds are thereby not allowed.') :
|
||||
''
|
||||
);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
public function urlOrExistingFilepath($fields)
|
||||
{
|
||||
if ($this->isFeedLocal($this->data)) {
|
||||
|
|
|
@ -1295,6 +1295,16 @@ class Server extends AppModel
|
|||
'type' => 'boolean',
|
||||
'null' => true
|
||||
),
|
||||
'disable_local_feed_access' => array(
|
||||
'level' => 0,
|
||||
'description' => __('Disabling this setting will allow the creation/modification of local feeds (as opposed to network feeds). Enabling this setting will restrict feed sources to be network based only. When disabled, keep in mind that a malicious site administrator could get access to any arbitrary file on the system that the apache user has access to. Make sure that proper safe-guards are in place. This setting can only be modified via the CLI.'),
|
||||
'value' => false,
|
||||
'errorMessage' => '',
|
||||
'test' => 'testBool',
|
||||
'type' => 'boolean',
|
||||
'null' => true,
|
||||
'cli_only' => 1
|
||||
),
|
||||
'allow_unsafe_apikey_named_param' => array(
|
||||
'level' => 0,
|
||||
'description' => __('Allows passing the API key via the named url parameter "apikey" - highly recommended not to enable this, but if you have some dodgy legacy tools that cannot pass the authorization header it can work as a workaround. Again, only use this as a last resort.'),
|
||||
|
|
|
@ -2,10 +2,16 @@
|
|||
<?php echo $this->Form->create('Feed');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Add MISP Feed');?></legend>
|
||||
<p><?php echo __('Add a new MISP feed source.');?></p>
|
||||
<?php
|
||||
echo $this->Form->input('enabled', array());
|
||||
echo $this->Form->input('caching_enabled', array('label' => __('Caching enabled')));
|
||||
<?php
|
||||
if (!empty(Configure::read('Security.disable_local_feed_access'))) {
|
||||
echo sprintf(
|
||||
'<p class="red bold">%s</p>',
|
||||
__('Warning: local feeds are currently disabled by policy, to re-enable the feature, set the Security.allow_local_feed_access flag in the server settings. This setting can only be set via the CLI.')
|
||||
);
|
||||
}
|
||||
echo '<p>' . __('Add a new MISP feed source.') . '</p>';
|
||||
echo $this->Form->input('enabled', array());
|
||||
echo $this->Form->input('caching_enabled', array('label' => __('Caching enabled')));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
|
@ -21,10 +27,14 @@
|
|||
'placeholder' => __('Name of the content provider'),
|
||||
'class' => 'form-control span6'
|
||||
));
|
||||
$options = array('network' => 'Network');
|
||||
if (empty(Configure::read('Security.disable_local_feed_access'))) {
|
||||
$options['local'] = 'Local';
|
||||
}
|
||||
echo $this->Form->input('input_source', array(
|
||||
'label' => __('Input Source'),
|
||||
'div' => 'input clear',
|
||||
'options' => array('network' => 'Network', 'local' => 'Local'),
|
||||
'options' => $options,
|
||||
'class' => 'form-control span6'
|
||||
));
|
||||
?>
|
||||
|
|
|
@ -2,8 +2,14 @@
|
|||
<?php echo $this->Form->create('Feed');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Edit MISP Feed');?></legend>
|
||||
<p><?php echo __('Edit a new MISP feed source.');?></p>
|
||||
<?php
|
||||
<?php
|
||||
if (!empty(Configure::read('Security.disable_local_feed_access'))) {
|
||||
echo sprintf(
|
||||
'<p class="red bold">%s</p>',
|
||||
__('Warning: local feeds are currently disabled by policy, to re-enable the feature, set the Security.allow_local_feed_access flag in the server settings. This setting can only be set via the CLI.')
|
||||
);
|
||||
}
|
||||
echo '<p>' . __('Edit a new MISP feed source.') . '</p>';
|
||||
echo $this->Form->input('enabled', array(
|
||||
'type' => 'checkbox'
|
||||
));
|
||||
|
@ -26,9 +32,13 @@
|
|||
'placeholder' => __('Name of the content provider'),
|
||||
'class' => 'form-control span6'
|
||||
));
|
||||
$options = array('network' => 'Network');
|
||||
if (empty(Configure::read('Security.disable_local_feed_access'))) {
|
||||
$options['local'] = 'Local';
|
||||
}
|
||||
echo $this->Form->input('input_source', array(
|
||||
'div' => 'input clear',
|
||||
'options' => array('network' => 'Network', 'local' => 'Local'),
|
||||
'options' => $options,
|
||||
'class' => 'form-control span6'
|
||||
));
|
||||
?>
|
||||
|
|
Loading…
Reference in New Issue