MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

chg: [internal] Do not modify session when not necessary

pull/7986/head
Jakub Onderka 2021-11-23 14:53:27 +01:00
parent e6e716971a
commit b100377a73
35 changed files with 107 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/Controller/AllowedlistsController.php
View File

@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
class AllowedlistsController extends AppController
{
public $components = array(
'Security',
'AdminCrud'
);

10
app/Controller/AppController.php
View File

@ -22,6 +22,7 @@ App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth');
* @property CompressedRequestHandlerComponent $CompressedRequestHandler
* @property DeprecationComponent $Deprecation
* @property RestSearchComponent $RestSearch
* @property BetterSecurityComponent $Security
*/
class AppController extends Controller
{
@ -81,7 +82,9 @@ class AppController extends Controller
)
)
),
'Security',
'Security' => [
'className' => 'BetterSecurity',
],
'ACL',
'CompressedRequestHandler',
'RestResponse',
@ -217,6 +220,7 @@ class AppController extends Controller
// Throw exception if JSON in request is invalid. Default CakePHP behaviour would just ignore that error.
$this->RequestHandler->addInputType('json', [$jsonDecode]);
$this->Security->unlockedActions = array($this->request->action);
$this->Security->doNotGenerateToken = true;
}
if (
@ -230,9 +234,7 @@ class AppController extends Controller
// REST authentication
if ($this->_isRest() || $this->_isAutomation()) {
// disable CSRF for REST access
if (isset($this->components['Security'])) {
$this->Security->csrfCheck = false;
}
$this->Security->csrfCheck = false;
if ($this->__loginByAuthKey() === false || $this->Auth->user() === null) {
if ($this->__loginByAuthKey() === null) {
$this->loadModel('Log');

5
app/Controller/AttributesController.php
View File

@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools');
*/
class AttributesController extends AppController
{
public $components = array('Security', 'RequestHandler');
public $components = array('RequestHandler');
public $paginate = [
'limit' => 60,
@ -47,9 +47,8 @@ class AttributesController extends AppController
$this->Security->unlockedActions[] = 'getMassEditForm';
$this->Security->unlockedActions[] = 'search';
if ($this->request->action === 'add_attachment') {
$this->Security->disabledFields = array('values');
$this->Security->unlockedFields = array('values');
}
$this->Security->validatePost = true;
// convert uuid to id if present in the url and overwrite id field
if (isset($this->request->params->query['uuid'])) {

1
app/Controller/AuditLogsController.php
View File

@ -8,7 +8,6 @@ App::uses('AuditLog', 'Model');
class AuditLogsController extends AppController
{
public $components = [
'Security',
'RequestHandler',
];

1
app/Controller/AuthKeysController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class AuthKeysController extends AppController
{
public $components = array(
'Security',
'CRUD',
'RequestHandler'
);

61
app/Controller/Component/BetterSecurityComponent.php Normal file
View File

@ -0,0 +1,61 @@
<?php
App::uses('SecurityComponent', 'Controller/Component');
/**
* @property SessionComponent $Session
*/
class BetterSecurityComponent extends SecurityComponent
{
/**
* Do not generate CSRF token. This make sense for REST calls and for calls that do not use tokens. So session
* will not be big with csrfLimit (by default 100) of token.
* @var bool
*/
public $doNotGenerateToken = false;
public function generateToken(CakeRequest $request)
{
if (isset($request->params['requested']) && $request->params['requested'] === 1) {
if ($this->Session->check('_Token')) {
$request->params['_Token'] = $this->Session->read('_Token');
}
return false;
}
if ($this->doNotGenerateToken) {
return true;
}
// No need to hash random data
$authKey = bin2hex(Security::randomBytes(16));
$token = array(
'key' => $authKey,
'allowedControllers' => $this->allowedControllers,
'allowedActions' => $this->allowedActions,
'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields),
'csrfTokens' => array(),
);
if ($this->Session->check('_Token')) {
$tokenData = $this->Session->read('_Token');
if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) {
$token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']);
}
}
if ($this->csrfUseOnce || empty($token['csrfTokens'])) {
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
if (!$this->csrfUseOnce) {
$csrfTokens = array_keys($token['csrfTokens']);
$authKey = $csrfTokens[0];
$token['key'] = $authKey;
$token['csrfTokens'][$authKey] = strtotime($this->csrfExpires);
}
$this->Session->write('_Token', $token);
$request->params['_Token'] = array(
'key' => $token['key'],
'unlockedFields' => $token['unlockedFields'],
);
return true;
}
}

1
app/Controller/CorrelationExclusionsController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class CorrelationExclusionsController extends AppController
{
public $components = array(
'Security',
'CRUD',
'RequestHandler'
);

2
app/Controller/CorrelationsController.php
View File

@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
*/
class CorrelationsController extends AppController
{
public $components = array('Security', 'RequestHandler');
public $components = array('RequestHandler');
public function top()
{

2
app/Controller/DecayingModelController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class DecayingModelController extends AppController
{
public $components = array('Security' ,'RequestHandler');
public $components = array('RequestHandler');
public $paginate = array(
'limit' => 50,

2
app/Controller/DecayingModelMappingController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class DecayingModelMappingController extends AppController
{
public $components = array('Security' ,'RequestHandler');
public $components = array('RequestHandler');
public $paginate = array(
'limit' => 50,

1
app/Controller/EventGraphController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class EventGraphController extends AppController
{
public $components = array(
'Security',
'RequestHandler'
);

1
app/Controller/EventReportsController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class EventReportsController extends AppController
{
public $components = array(
'Security',
'AdminCrud',
'RequestHandler'
);

33
app/Controller/EventsController.php
View File

@ -9,10 +9,8 @@ App::uses('Xml', 'Utility');
class EventsController extends AppController
{
public $components = array(
'Security',
'Email',
'RequestHandler',
'IOCImport',
'RequestHandler',
'IOCImport',
);
public $paginate = array(
@ -102,6 +100,10 @@ class EventsController extends AppController
}
$this->paginate = Set::merge($this->paginate, array('conditions' => $conditions));
}
if ($this->request->action === 'checkLocks') {
$this->Security->doNotGenerateToken = true;
}
}
/**
@ -4444,21 +4446,21 @@ class EventsController extends AppController
return new CakeResponse(array('body' => json_encode($json), 'status' => 200, 'type' => 'json'));
}
private function genDistributionGraph($id, $type = 'event', $extended = 0)
private function genDistributionGraph($id, $type = 'event', $extended = 0, $user = null)
{
$validTools = array('event');
if (!in_array($type, $validTools)) {
throw new MethodNotAllowedException(__('Invalid type.'));
}
App::uses('DistributionGraphTool', 'Tools');
$grapher = new DistributionGraphTool();
$this->loadModel('Server');
$servers = $this->Server->find('column', array(
'fields' => array('Server.name'),
));
$grapher->construct($this->Event, $servers, $this->Auth->user(), $extended);
App::uses('DistributionGraphTool', 'Tools');
$user = $user ?: $this->Auth->user();
$grapher = new DistributionGraphTool($this->Event, $servers, $user, $extended);
$json = $grapher->get_distributions_graph($id);
array_walk_recursive($json, function (&$item, $key) {
@ -4500,8 +4502,12 @@ class EventsController extends AppController
public function getDistributionGraph($id, $type = 'event')
{
// Close session without writing changes to them.
$user = $this->Auth->user();
session_abort();
$extended = isset($this->params['named']['extended']) ? 1 : 0;
$json = $this->genDistributionGraph($id, $type, $extended);
$json = $this->genDistributionGraph($id, $type, $extended, $user);
return $this->RestResponse->viewData($json, 'json');
}
@ -5440,17 +5446,20 @@ class EventsController extends AppController
public function checkLocks($id, $timestamp)
{
// Close session without writing changes to them.
$user = $this->Auth->user();
session_abort();
$event = $this->Event->find('first', array(
'recursive' => -1,
'conditions' => ['Event.id' => $id],
'fields' => ['Event.orgc_id', 'Event.timestamp'],
));
// Return empty response if event not found or user org is not owner
if (empty($event) || ($event['Event']['orgc_id'] != $this->Auth->user('org_id') && !$this->_isSiteAdmin())) {
if (empty($event) || ($event['Event']['orgc_id'] != $user['org_id'] && !$this->_isSiteAdmin())) {
return new CakeResponse(['status' => 204]);
}
$user = $this->Auth->user();
$this->loadModel('EventLock');
$locks = $this->EventLock->checkLock($user, $id);

1
app/Controller/FeedsController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class FeedsController extends AppController
{
public $components = array(
'Security',
'CRUD',
'RequestHandler'
); // XXX ACL component

2
app/Controller/JobsController.php
View File

@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
*/
class JobsController extends AppController
{
public $components = array('Security', 'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 20,

1
app/Controller/LogsController.php
View File

@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
class LogsController extends AppController
{
public $components = array(
'Security',
'RequestHandler',
'AdminCrud' => array(
'crud' => array('index')

1
app/Controller/ModulesController.php
View File

@ -3,7 +3,6 @@ App::uses('AppController', 'Controller');
class ModulesController extends AppController
{
public $components = array(
'Security',
'RequestHandler'
);

2
app/Controller/ObjectReferencesController.php
View File

@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
*/
class ObjectReferencesController extends AppController
{
public $components = array('Security' ,'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 20,

2
app/Controller/ObjectTemplateElementsController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class ObjectTemplateElementsController extends AppController
{
public $components = array('Security' ,'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 60,

2
app/Controller/ObjectTemplatesController.php
View File

@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
*/
class ObjectTemplatesController extends AppController
{
public $components = array('Security' ,'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 60,

2
app/Controller/ObjectsController.php
View File

@ -10,7 +10,7 @@ class ObjectsController extends AppController
{
public $uses = 'MispObject';
public $components = array('Security' ,'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 20,

1
app/Controller/PostsController.php
View File

@ -9,7 +9,6 @@ App::uses('AppController', 'Controller');
class PostsController extends AppController
{
public $components = array(
'Security',
'Session',
'RequestHandler'
);

2
app/Controller/RegexpController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class RegexpController extends AppController
{
public $components = array('Security', 'RequestHandler', 'AdminCrud');
public $components = array('RequestHandler', 'AdminCrud');
public $paginate = array(
'limit' => 60,

1
app/Controller/RestClientHistoryController.php
View File

@ -5,7 +5,6 @@ App::uses('AppController', 'Controller');
class RestClientHistoryController extends AppController
{
public $components = array(
'Security',
'AdminCrud',
'RequestHandler'
);

1
app/Controller/RolesController.php
View File

@ -10,7 +10,6 @@ App::uses('AppController', 'Controller');
class RolesController extends AppController
{
public $components = array(
'Security',
'Session',
'RequestHandler'
);

2
app/Controller/ServersController.php
View File

@ -9,7 +9,7 @@ App::uses('SecurityAudit', 'Tools');
*/
class ServersController extends AppController
{
public $components = array('Security' ,'RequestHandler'); // XXX ACL component
public $components = array('RequestHandler'); // XXX ACL component
public $paginate = array(
'limit' => 60,

3
app/Controller/ShadowAttributesController.php
View File

@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools');
*/
class ShadowAttributesController extends AppController
{
public $components = array('Acl', 'Security', 'RequestHandler', 'Email');
public $components = array('RequestHandler');
public $paginate = array(
'limit' => 60,
@ -20,7 +20,6 @@ class ShadowAttributesController extends AppController
{
parent::beforeFilter();
$this->set('title_for_layout', 'Proposals');
$this->Security->validatePost = true;
// convert uuid to id if present in the url, and overwrite id field
if (isset($this->params->query['uuid'])) {

1
app/Controller/TagCollectionsController.php
View File

@ -8,7 +8,6 @@ App::uses('AppController', 'Controller');
class TagCollectionsController extends AppController
{
public $components = array(
'Security',
'AdminCrud',
'RequestHandler'
);

2
app/Controller/TagsController.php
View File

@ -6,7 +6,7 @@ App::uses('AppController', 'Controller');
*/
class TagsController extends AppController
{
public $components = array('Security' ,'RequestHandler');
public $components = array('RequestHandler');
public $paginate = array(
'limit' => 50,

2
app/Controller/TasksController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class TasksController extends AppController
{
public $components = array('Security' ,'RequestHandler', 'Session');
public $components = array('RequestHandler', 'Session');
public $paginate = array(
'limit' => 20,

2
app/Controller/TemplateElementsController.php
View File

@ -4,7 +4,7 @@ App::uses('AppController', 'Controller');
class TemplateElementsController extends AppController
{
public $components = array('Security' ,'RequestHandler');
public $components = array('RequestHandler');
public $paginate = array(
'limit' => 50,

2
app/Controller/TemplatesController.php
View File

@ -6,7 +6,7 @@ App::uses('File', 'Utility');
class TemplatesController extends AppController
{
public $components = array('Security' ,'RequestHandler', 'CRUD');
public $components = array('RequestHandler', 'CRUD');
public $paginate = array(
'limit' => 50,

1
app/Controller/ThreadsController.php
View File

@ -7,7 +7,6 @@ App::uses('AppController', 'Controller');
class ThreadsController extends AppController
{
public $components = array(
'Security',
'RequestHandler',
'Session',
);

4
app/Controller/UsersController.php
View File

@ -9,9 +9,7 @@ class UsersController extends AppController
public $newkey;
public $components = array(
'Security',
'Email',
'RequestHandler'
'RequestHandler'
);
public $paginate = array(

4
app/Lib/Tools/DistributionGraphTool.php
View File

@ -11,7 +11,7 @@ class DistributionGraphTool
/** @var array */
private $__serverList;
public function construct(Event $eventModel, array $servers, array $user, $extended_view=0)
public function __construct(Event $eventModel, array $servers, array $user, $extended_view=0)
{
$this->__eventModel = $eventModel;
$this->__serverList = $servers;
@ -33,8 +33,6 @@ class DistributionGraphTool
];
}
$this->__json['distributionInfo'][5] = ""; // inherit event. Will be deleted afterward
return true;
}
private function __fetchAndAddDistributionInfo($elem)