MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #7150 from JakubOnderka/force-https 

new: [internal] Security setting force_https
pull/7156/head
Jakub Onderka 2021-03-04 10:44:33 +01:00 committed by GitHub
parent d4989dbd85 2a8ba9020f
commit 6a5716b69b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 42 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/Controller/AppController.php
View File

@ -94,26 +94,19 @@ class AppController extends Controller
public function beforeFilter() public function beforeFilter()
{ {
$this->_setupBaseurl(); $this->_setupBaseurl();
$this->Auth->loginRedirect = $this->baseurl. '/users/routeafterlogin'; $this->Auth->loginRedirect = $this->baseurl . '/users/routeafterlogin';
$customLogout = Configure::read('Plugin.CustomAuth_custom_logout'); $customLogout = Configure::read('Plugin.CustomAuth_custom_logout');
$this->Auth->logoutRedirect = $customLogout ?: ($this->baseurl . '/users/login'); $this->Auth->logoutRedirect = $customLogout ?: ($this->baseurl . '/users/login');
$this->__sessionMassage(); $this->__sessionMassage();
if (Configure::read('Security.allow_cors')) {
// Add CORS headers
$this->response->cors($this->request,
explode(',', Configure::read('Security.cors_origins')),
['*'],
['Origin', 'Content-Type', 'Authorization', 'Accept']);
if ($this->request->is('options')) { // If server is running behind reverse proxy, PHP will not recognize that user is accessing site by HTTPS connection.
// Stop here! // By setting `Security.force_https` to `true`, session cookie will be set as Secure and CSP headers will upgrade insecure requests.
// CORS only needs the headers if (Configure::read('Security.force_https')) {
$this->response->send(); $_SERVER['HTTPS'] = 'on';
$this->_stop();
}
} }
$this->__cors();
if (Configure::read('Security.check_sec_fetch_site_header')) { if (Configure::read('Security.check_sec_fetch_site_header')) {
$secFetchSite = $this->request->header('Sec-Fetch-Site'); $secFetchSite = $this->request->header('Sec-Fetch-Site');
if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) { if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) {
@ -740,6 +733,24 @@ class AppController extends Controller
$this->response->header($headerName, implode('; ', $header)); $this->response->header($headerName, implode('; ', $header));
} }
private function __cors()
{
if (Configure::read('Security.allow_cors')) {
// Add CORS headers
$this->response->cors($this->request,
explode(',', Configure::read('Security.cors_origins')),
['*'],
['Origin', 'Content-Type', 'Authorization', 'Accept']);
if ($this->request->is('options')) {
// Stop here!
// CORS only needs the headers
$this->response->send();
$this->_stop();
}
}
}
private function __rateLimitCheck() private function __rateLimitCheck()
{ {
$info = array(); $info = array();

11
app/Lib/Tools/SecurityAudit.php
View File

@ -77,8 +77,15 @@ class SecurityAudit
'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP', 'https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP',
]; ];
} }
if (Configure::read('Security.disable_form_security')) { if (!env('HTTPS') && strpos(Configure::read('MISP.baseurl'), 'https://') === 0) {
$output['Browser'][] = ['error', __('Disabling form security is never a good idea.')]; $output['Browser'][] = [
'error',
__('MISP base URL is set to https://, but MISP things that the connection is insecure. This usually happens when server is running behind reverse proxy. By setting `Security.force_https` to `true`, session cookie will be set as Secure and CSP headers will upgrade insecure requests.'),
];
}
$sessionConfig = Configure::read('Session');
if (isset($sessionConfig['ini']['session.cookie_secure']) && !$sessionConfig['ini']['session.cookie_secure']) {
$output['Browser'][] = ['error', __('Setting session cookie is not secure is never good idea.')];
} }
if (empty(Configure::read('Security.advanced_authkeys'))) { if (empty(Configure::read('Security.advanced_authkeys'))) {

9
app/Model/Server.php
View File

@ -5701,6 +5701,15 @@ class Server extends AppModel
'type' => 'boolean', 'type' => 'boolean',
'null' => true, 'null' => true,
], ],
'force_https' => [
'level' => self::SETTING_OPTIONAL,
'description' => __('If enabled, MISP server will consider all requests as secure. This is usually useful when you run MISP behind reverse proxy that terminates HTTPS.'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true,
],
'email_otp_enabled' => array( 'email_otp_enabled' => array(
'level'=> 2, 'level'=> 2,
'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'), 'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'),