From 5e12063620e9a1e996499c14c067a4a1fa662595 Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Wed, 1 Jul 2020 19:37:36 +0200 Subject: [PATCH 1/6] new: [security] Add new `Security.disable_browser_cache` option to disable saving data to browser cache --- app/Controller/AppController.php | 3 +++ app/Controller/Component/RestResponseComponent.php | 3 +++ app/Model/Server.php | 9 +++++++++ 3 files changed, 15 insertions(+) diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 942ecf0ca..f2db1c2e8 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -139,6 +139,9 @@ class AppController extends Controller $this->_stop(); } } + if (Configure::read('Security.disable_browser_cache')) { + $this->response->disableCache(); + } $this->response->header('X-XSS-Protection', '1; mode=block'); if (!empty($this->params['named']['sql'])) { diff --git a/app/Controller/Component/RestResponseComponent.php b/app/Controller/Component/RestResponseComponent.php index 45d400492..7306b24aa 100644 --- a/app/Controller/Component/RestResponseComponent.php +++ b/app/Controller/Component/RestResponseComponent.php @@ -513,6 +513,9 @@ class RestResponseComponent extends Component $headers["Access-Control-Allow-Origin"] = explode(',', Configure::read('Security.cors_origins')); $headers["Access-Control-Expose-Headers"] = ["X-Result-Count"]; } + if (Configure::read('Security.disable_browser_cache')) { + $cakeResponse->disableCache(); + } if (!empty($this->headers)) { $cakeResponse->header($this->headers); } diff --git a/app/Model/Server.php b/app/Model/Server.php index 71bb120e3..a2318beb5 100644 --- a/app/Model/Server.php +++ b/app/Model/Server.php @@ -1297,6 +1297,15 @@ class Server extends AppModel 'type' => 'boolean', 'null' => true ), + 'disable_browser_cache' => array( + 'level' => 0, + 'description' => __('If enabled, HTTP headers that block browser cache will be send. Static files (like images or JavaScripts) will still be cached, but not generated pages.'), + 'value' => false, + 'errorMessage' => '', + 'test' => 'testBool', + 'type' => 'boolean', + 'null' => true, + ), 'email_otp_enabled' => array( 'level'=> 2, 'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'), From 63ae5c16e05a2867d27d84f9120637140009a0d2 Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Sun, 18 Oct 2020 19:42:36 +0200 Subject: [PATCH 2/6] new: [security] New setting to check `Sec-Fetch-Site` header --- app/Controller/AppController.php | 6 ++++++ app/Model/Server.php | 9 +++++++++ 2 files changed, 15 insertions(+) diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index f2db1c2e8..64c4d9eae 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -139,6 +139,12 @@ class AppController extends Controller $this->_stop(); } } + if (Configure::read('Security.check_sec_fetch_site_header')) { + $secFetchSite = $this->request->header('Sec-Fetch-Site'); + if ($secFetchSite !== false && $secFetchSite !== 'same-origin' && ($this->request->is('post') || $this->request->is('put') || $this->request->is('ajax'))) { + throw new MethodNotAllowedException("POST, PUT and AJAX requests are allowed just from same origin."); + } + } if (Configure::read('Security.disable_browser_cache')) { $this->response->disableCache(); } diff --git a/app/Model/Server.php b/app/Model/Server.php index a2318beb5..bcda931dd 100644 --- a/app/Model/Server.php +++ b/app/Model/Server.php @@ -1306,6 +1306,15 @@ class Server extends AppModel 'type' => 'boolean', 'null' => true, ), + 'check_sec_fetch_site_header' => [ + 'level' => 0, + 'description' => __('If enabled, any POST, PUT or AJAX request will be allow just when Sec-Fetch-Site header is not defined or contains "same-origin".'), + 'value' => false, + 'errorMessage' => '', + 'test' => 'testBool', + 'type' => 'boolean', + 'null' => true, + ], 'email_otp_enabled' => array( 'level'=> 2, 'description' => __('Enable two step authentication with a OTP sent by email. Requires e-mailing to be enabled. Warning: You cannot use it in combination with external authentication plugins.'), From d56fe702ebb9558eda47c86857fe883a29213fd1 Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Tue, 24 Nov 2020 17:23:09 +0100 Subject: [PATCH 3/6] fix: [internal] Redis unlink method for old Redis versions --- app/Model/Warninglist.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/Model/Warninglist.php b/app/Model/Warninglist.php index 3cfd99b50..ab98bbb5a 100644 --- a/app/Model/Warninglist.php +++ b/app/Model/Warninglist.php @@ -279,8 +279,10 @@ class Warninglist extends AppModel return false; } - if (method_exists($redis, 'unlink')) { - // Delete attributes cache non blocking way if available + // Unlink is non blocking way how to delete keys from Redis, but it must be supported by PHP extension and + // Redis itself + $unlinkSupported = method_exists($redis, 'unlink') && $redis->unlink(null) !== false; + if ($unlinkSupported) { $redis->unlink($redis->keys('misp:wlc:*')); } else { $redis->del($redis->keys('misp:wlc:*')); From 3023a4bf665fd8f84faa91bb51ad0c341fa13827 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 24 Nov 2020 19:05:29 +0100 Subject: [PATCH 4/6] chg: [PyMISP] Bump version --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 872005d0e..7b08cfcad 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 872005d0eb940fd5c3d9790cb33329e261d957ac +Subproject commit 7b08cfcade8d2fa0001a3316b958f3cd197734a9 From 54efe760a4b9d5bd3dc71ab726a442f246f87fca Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Tue, 24 Nov 2020 19:01:25 +0100 Subject: [PATCH 5/6] chg: [internal] Better exception description for PGP key validation --- app/Lib/Tools/CryptGpgExtended.php | 2 ++ app/Lib/Tools/GpgTool.php | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/app/Lib/Tools/CryptGpgExtended.php b/app/Lib/Tools/CryptGpgExtended.php index c8b27478d..15ba96c9c 100644 --- a/app/Lib/Tools/CryptGpgExtended.php +++ b/app/Lib/Tools/CryptGpgExtended.php @@ -134,6 +134,8 @@ class CryptGpgExtended extends Crypt_GPG // add last key if ($key !== null) { $keys[] = $key; + } else { + throw new Crypt_GPG_Exception("Key data provided, but gpg process output could not be parsed: $output"); } return $keys; diff --git a/app/Lib/Tools/GpgTool.php b/app/Lib/Tools/GpgTool.php index 38b305199..009ef03ca 100644 --- a/app/Lib/Tools/GpgTool.php +++ b/app/Lib/Tools/GpgTool.php @@ -95,9 +95,6 @@ class GpgTool throw new InvalidArgumentException("Valid CryptGpgExtended instance required."); } $fetchedKeyInfo = $this->gpg->keyInfo($keyData); - if (empty($fetchedKeyInfo)) { - throw new Exception("No key found"); - } if (count($fetchedKeyInfo) !== 1) { throw new Exception("Multiple keys found"); } From 58af2a800651404690095c85b69b1c460dba1bdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 24 Nov 2020 20:03:55 +0100 Subject: [PATCH 6/6] chg: [PyMISP] Bump version, again --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 7b08cfcad..ded44278a 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 7b08cfcade8d2fa0001a3316b958f3cd197734a9 +Subproject commit ded44278af8f427577f27c4c8293f7e8723148c4