mirror of https://github.com/MISP/MISP
Security fix and new download attachment feature
- users can now download attachments using the APIkey - security issue fixed where a user could download attachments that he/she can't even see by navigating to attributes/download/<attribute_id>pull/217/head
parent
6d1dc6df95
commit
8e75f0826f
|
@ -24,6 +24,7 @@ class AttributesController extends AppController {
|
||||||
|
|
||||||
$this->Auth->allow('restSearch');
|
$this->Auth->allow('restSearch');
|
||||||
$this->Auth->allow('returnAttributes');
|
$this->Auth->allow('returnAttributes');
|
||||||
|
$this->Auth->allow('downloadAttachment');
|
||||||
|
|
||||||
// permit reuse of CSRF tokens on the search page.
|
// permit reuse of CSRF tokens on the search page.
|
||||||
if ('search' == $this->request->params['action']) {
|
if ('search' == $this->request->params['action']) {
|
||||||
|
@ -249,17 +250,28 @@ class AttributesController extends AppController {
|
||||||
if (!$this->Attribute->exists()) {
|
if (!$this->Attribute->exists()) {
|
||||||
throw new NotFoundException(__('Invalid attribute'));
|
throw new NotFoundException(__('Invalid attribute'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->Attribute->read();
|
$this->Attribute->read();
|
||||||
$path = "files" . DS . $this->Attribute->data['Attribute']['event_id'] . DS;
|
if (!$this->_isSiteAdmin() &&
|
||||||
$file = $this->Attribute->data['Attribute']['id'];
|
$this->Auth->user('org') !=
|
||||||
|
$this->Attribute->data['Event']['org'] &&
|
||||||
|
($this->Attribute->data['Event']['distribution'] == 0 ||
|
||||||
|
$this->Attribute->data['Attribute']['distribution'] == 0
|
||||||
|
)) {
|
||||||
|
throw new UnauthorizedException('You do not have the permission to view this event.');
|
||||||
|
}
|
||||||
|
$this->__downloadAttachment($this->Attribute->data['Attribute']);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function __downloadAttachment($attribute) {
|
||||||
|
$path = "files" . DS . $attribute['event_id'] . DS;
|
||||||
|
$file = $attribute['id'];
|
||||||
$filename = '';
|
$filename = '';
|
||||||
if ('attachment' == $this->Attribute->data['Attribute']['type']) {
|
if ('attachment' == $attribute['type']) {
|
||||||
$filename = $this->Attribute->data['Attribute']['value'];
|
$filename = $attribute['value'];
|
||||||
$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
|
$fileExt = pathinfo($filename, PATHINFO_EXTENSION);
|
||||||
$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
|
$filename = substr($filename, 0, strlen($filename) - strlen($fileExt) - 1);
|
||||||
} elseif ('malware-sample' == $this->Attribute->data['Attribute']['type']) {
|
} elseif ('malware-sample' == $attribute['type']) {
|
||||||
$filenameHash = explode('|', $this->Attribute->data['Attribute']['value']);
|
$filenameHash = explode('|', $attribute['value']);
|
||||||
$filename = $filenameHash[0];
|
$filename = $filenameHash[0];
|
||||||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
||||||
$fileExt = "zip";
|
$fileExt = "zip";
|
||||||
|
@ -1126,6 +1138,8 @@ class AttributesController extends AppController {
|
||||||
// The signature flag is off by default, enabling it will only return attribugtes that have the to_ids flag set to true.
|
// The signature flag is off by default, enabling it will only return attribugtes that have the to_ids flag set to true.
|
||||||
public function returnAttributes($key, $id, $type = null, $sigOnly = false) {
|
public function returnAttributes($key, $id, $type = null, $sigOnly = false) {
|
||||||
$user = $this->checkAuthUser($key);
|
$user = $this->checkAuthUser($key);
|
||||||
|
// if the user is authorised to use the api key then user will be populated with the user's account
|
||||||
|
// in addition we also set a flag indicating whether the user is a site admin or not.
|
||||||
if (!$user) {
|
if (!$user) {
|
||||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||||
}
|
}
|
||||||
|
@ -1199,9 +1213,24 @@ class AttributesController extends AppController {
|
||||||
// If after all of this $contained is still true, let's add the attribute to the array
|
// If after all of this $contained is still true, let's add the attribute to the array
|
||||||
if ($contained) $attributes[] = $attribute;
|
if ($contained) $attributes[] = $attribute;
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->set('results', $attributes);
|
$this->set('results', $attributes);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function downloadAttachment($key, $id) {
|
||||||
|
$user = $this->checkAuthUser($key);
|
||||||
|
// if the user is authorised to use the api key then user will be populated with the user's account
|
||||||
|
// in addition we also set a flag indicating whether the user is a site admin or not.
|
||||||
|
if (!$user) {
|
||||||
|
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||||
|
}
|
||||||
|
$this->Attribute->read(null, $id);
|
||||||
|
if (!$user['User']['siteAdmin'] &&
|
||||||
|
$user['User']['org'] != $this->Attribute->data['Event']['org'] &&
|
||||||
|
($this->Attribute->data['Event']['distribution'] == 0 ||
|
||||||
|
$this->Attribute->data['Attribute']['distribution'] == 0
|
||||||
|
)) {
|
||||||
|
throw new UnauthorizedException('You do not have the permission to view this event.');
|
||||||
|
}
|
||||||
|
$this->__downloadAttachment($this->Attribute->data['Attribute']);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue