diff --git a/app/Controller/AllowedlistsController.php b/app/Controller/AllowedlistsController.php index 1fc0fbe7c..8590c928c 100644 --- a/app/Controller/AllowedlistsController.php +++ b/app/Controller/AllowedlistsController.php @@ -5,7 +5,6 @@ App::uses('AppController', 'Controller'); class AllowedlistsController extends AppController { public $components = array( - 'Security', 'AdminCrud' ); diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index bf5953785..f3d9aecd4 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -22,6 +22,7 @@ App::uses('BlowfishConstantPasswordHasher', 'Controller/Component/Auth'); * @property CompressedRequestHandlerComponent $CompressedRequestHandler * @property DeprecationComponent $Deprecation * @property RestSearchComponent $RestSearch + * @property BetterSecurityComponent $Security */ class AppController extends Controller { @@ -81,7 +82,9 @@ class AppController extends Controller ) ) ), - 'Security', + 'Security' => [ + 'className' => 'BetterSecurity', + ], 'ACL', 'CompressedRequestHandler', 'RestResponse', @@ -217,6 +220,7 @@ class AppController extends Controller // Throw exception if JSON in request is invalid. Default CakePHP behaviour would just ignore that error. $this->RequestHandler->addInputType('json', [$jsonDecode]); $this->Security->unlockedActions = array($this->request->action); + $this->Security->doNotGenerateToken = true; } if ( @@ -230,9 +234,7 @@ class AppController extends Controller // REST authentication if ($this->_isRest() || $this->_isAutomation()) { // disable CSRF for REST access - if (isset($this->components['Security'])) { - $this->Security->csrfCheck = false; - } + $this->Security->csrfCheck = false; if ($this->__loginByAuthKey() === false || $this->Auth->user() === null) { if ($this->__loginByAuthKey() === null) { $this->loadModel('Log'); diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 9c4c44177..2cb35eda3 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools'); */ class AttributesController extends AppController { - public $components = array('Security', 'RequestHandler'); + public $components = array('RequestHandler'); public $paginate = [ 'limit' => 60, @@ -47,9 +47,8 @@ class AttributesController extends AppController $this->Security->unlockedActions[] = 'getMassEditForm'; $this->Security->unlockedActions[] = 'search'; if ($this->request->action === 'add_attachment') { - $this->Security->disabledFields = array('values'); + $this->Security->unlockedFields = array('values'); } - $this->Security->validatePost = true; // convert uuid to id if present in the url and overwrite id field if (isset($this->request->params->query['uuid'])) { diff --git a/app/Controller/AuditLogsController.php b/app/Controller/AuditLogsController.php index 74d1e93e8..11a228a99 100644 --- a/app/Controller/AuditLogsController.php +++ b/app/Controller/AuditLogsController.php @@ -8,7 +8,6 @@ App::uses('AuditLog', 'Model'); class AuditLogsController extends AppController { public $components = [ - 'Security', 'RequestHandler', ]; diff --git a/app/Controller/AuthKeysController.php b/app/Controller/AuthKeysController.php index 97f28e992..56276bd7d 100644 --- a/app/Controller/AuthKeysController.php +++ b/app/Controller/AuthKeysController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class AuthKeysController extends AppController { public $components = array( - 'Security', 'CRUD', 'RequestHandler' ); diff --git a/app/Controller/Component/BetterSecurityComponent.php b/app/Controller/Component/BetterSecurityComponent.php new file mode 100644 index 000000000..a5a177e63 --- /dev/null +++ b/app/Controller/Component/BetterSecurityComponent.php @@ -0,0 +1,61 @@ +params['requested']) && $request->params['requested'] === 1) { + if ($this->Session->check('_Token')) { + $request->params['_Token'] = $this->Session->read('_Token'); + } + return false; + } + + if ($this->doNotGenerateToken) { + return true; + } + + // No need to hash random data + $authKey = bin2hex(Security::randomBytes(16)); + $token = array( + 'key' => $authKey, + 'allowedControllers' => $this->allowedControllers, + 'allowedActions' => $this->allowedActions, + 'unlockedFields' => array_merge($this->disabledFields, $this->unlockedFields), + 'csrfTokens' => array(), + ); + + if ($this->Session->check('_Token')) { + $tokenData = $this->Session->read('_Token'); + if (!empty($tokenData['csrfTokens']) && is_array($tokenData['csrfTokens'])) { + $token['csrfTokens'] = $this->_expireTokens($tokenData['csrfTokens']); + } + } + if ($this->csrfUseOnce || empty($token['csrfTokens'])) { + $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires); + } + if (!$this->csrfUseOnce) { + $csrfTokens = array_keys($token['csrfTokens']); + $authKey = $csrfTokens[0]; + $token['key'] = $authKey; + $token['csrfTokens'][$authKey] = strtotime($this->csrfExpires); + } + $this->Session->write('_Token', $token); + $request->params['_Token'] = array( + 'key' => $token['key'], + 'unlockedFields' => $token['unlockedFields'], + ); + return true; + } +} diff --git a/app/Controller/CorrelationExclusionsController.php b/app/Controller/CorrelationExclusionsController.php index 7f051aef5..8b53442ac 100644 --- a/app/Controller/CorrelationExclusionsController.php +++ b/app/Controller/CorrelationExclusionsController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class CorrelationExclusionsController extends AppController { public $components = array( - 'Security', 'CRUD', 'RequestHandler' ); diff --git a/app/Controller/CorrelationsController.php b/app/Controller/CorrelationsController.php index dbbafc3da..1819dd2d3 100644 --- a/app/Controller/CorrelationsController.php +++ b/app/Controller/CorrelationsController.php @@ -6,7 +6,7 @@ App::uses('AppController', 'Controller'); */ class CorrelationsController extends AppController { - public $components = array('Security', 'RequestHandler'); + public $components = array('RequestHandler'); public function top() { diff --git a/app/Controller/DecayingModelController.php b/app/Controller/DecayingModelController.php index 3d8442be8..132cd887a 100644 --- a/app/Controller/DecayingModelController.php +++ b/app/Controller/DecayingModelController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class DecayingModelController extends AppController { - public $components = array('Security' ,'RequestHandler'); + public $components = array('RequestHandler'); public $paginate = array( 'limit' => 50, diff --git a/app/Controller/DecayingModelMappingController.php b/app/Controller/DecayingModelMappingController.php index 79c0dfc43..16a239c4f 100644 --- a/app/Controller/DecayingModelMappingController.php +++ b/app/Controller/DecayingModelMappingController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class DecayingModelMappingController extends AppController { - public $components = array('Security' ,'RequestHandler'); + public $components = array('RequestHandler'); public $paginate = array( 'limit' => 50, diff --git a/app/Controller/EventGraphController.php b/app/Controller/EventGraphController.php index 87b79c40f..dca1e89e2 100644 --- a/app/Controller/EventGraphController.php +++ b/app/Controller/EventGraphController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class EventGraphController extends AppController { public $components = array( - 'Security', 'RequestHandler' ); diff --git a/app/Controller/EventReportsController.php b/app/Controller/EventReportsController.php index 78e511ce3..130caac65 100644 --- a/app/Controller/EventReportsController.php +++ b/app/Controller/EventReportsController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class EventReportsController extends AppController { public $components = array( - 'Security', 'AdminCrud', 'RequestHandler' ); diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 726ad56ac..a6b843779 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -9,10 +9,8 @@ App::uses('Xml', 'Utility'); class EventsController extends AppController { public $components = array( - 'Security', - 'Email', - 'RequestHandler', - 'IOCImport', + 'RequestHandler', + 'IOCImport', ); public $paginate = array( @@ -102,6 +100,10 @@ class EventsController extends AppController } $this->paginate = Set::merge($this->paginate, array('conditions' => $conditions)); } + + if ($this->request->action === 'checkLocks') { + $this->Security->doNotGenerateToken = true; + } } /** @@ -4444,21 +4446,21 @@ class EventsController extends AppController return new CakeResponse(array('body' => json_encode($json), 'status' => 200, 'type' => 'json')); } - private function genDistributionGraph($id, $type = 'event', $extended = 0) + private function genDistributionGraph($id, $type = 'event', $extended = 0, $user = null) { $validTools = array('event'); if (!in_array($type, $validTools)) { throw new MethodNotAllowedException(__('Invalid type.')); } - App::uses('DistributionGraphTool', 'Tools'); - $grapher = new DistributionGraphTool(); - $this->loadModel('Server'); $servers = $this->Server->find('column', array( 'fields' => array('Server.name'), )); - $grapher->construct($this->Event, $servers, $this->Auth->user(), $extended); + + App::uses('DistributionGraphTool', 'Tools'); + $user = $user ?: $this->Auth->user(); + $grapher = new DistributionGraphTool($this->Event, $servers, $user, $extended); $json = $grapher->get_distributions_graph($id); array_walk_recursive($json, function (&$item, $key) { @@ -4500,8 +4502,12 @@ class EventsController extends AppController public function getDistributionGraph($id, $type = 'event') { + // Close session without writing changes to them. + $user = $this->Auth->user(); + session_abort(); + $extended = isset($this->params['named']['extended']) ? 1 : 0; - $json = $this->genDistributionGraph($id, $type, $extended); + $json = $this->genDistributionGraph($id, $type, $extended, $user); return $this->RestResponse->viewData($json, 'json'); } @@ -5440,17 +5446,20 @@ class EventsController extends AppController public function checkLocks($id, $timestamp) { + // Close session without writing changes to them. + $user = $this->Auth->user(); + session_abort(); + $event = $this->Event->find('first', array( 'recursive' => -1, 'conditions' => ['Event.id' => $id], 'fields' => ['Event.orgc_id', 'Event.timestamp'], )); // Return empty response if event not found or user org is not owner - if (empty($event) || ($event['Event']['orgc_id'] != $this->Auth->user('org_id') && !$this->_isSiteAdmin())) { + if (empty($event) || ($event['Event']['orgc_id'] != $user['org_id'] && !$this->_isSiteAdmin())) { return new CakeResponse(['status' => 204]); } - $user = $this->Auth->user(); $this->loadModel('EventLock'); $locks = $this->EventLock->checkLock($user, $id); diff --git a/app/Controller/FeedsController.php b/app/Controller/FeedsController.php index f46b17145..17313c1fc 100644 --- a/app/Controller/FeedsController.php +++ b/app/Controller/FeedsController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class FeedsController extends AppController { public $components = array( - 'Security', 'CRUD', 'RequestHandler' ); // XXX ACL component diff --git a/app/Controller/JobsController.php b/app/Controller/JobsController.php index 2f5550014..4a12f61f6 100644 --- a/app/Controller/JobsController.php +++ b/app/Controller/JobsController.php @@ -6,7 +6,7 @@ App::uses('AppController', 'Controller'); */ class JobsController extends AppController { - public $components = array('Security', 'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 20, diff --git a/app/Controller/LogsController.php b/app/Controller/LogsController.php index 510d3bca3..fa22f4b0f 100644 --- a/app/Controller/LogsController.php +++ b/app/Controller/LogsController.php @@ -5,7 +5,6 @@ App::uses('AppController', 'Controller'); class LogsController extends AppController { public $components = array( - 'Security', 'RequestHandler', 'AdminCrud' => array( 'crud' => array('index') diff --git a/app/Controller/ModulesController.php b/app/Controller/ModulesController.php index 5b88f19e2..821a8ca95 100755 --- a/app/Controller/ModulesController.php +++ b/app/Controller/ModulesController.php @@ -3,7 +3,6 @@ App::uses('AppController', 'Controller'); class ModulesController extends AppController { public $components = array( - 'Security', 'RequestHandler' ); diff --git a/app/Controller/ObjectReferencesController.php b/app/Controller/ObjectReferencesController.php index 1d4d593ff..9e4d32def 100644 --- a/app/Controller/ObjectReferencesController.php +++ b/app/Controller/ObjectReferencesController.php @@ -6,7 +6,7 @@ App::uses('AppController', 'Controller'); */ class ObjectReferencesController extends AppController { - public $components = array('Security' ,'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 20, diff --git a/app/Controller/ObjectTemplateElementsController.php b/app/Controller/ObjectTemplateElementsController.php index 8019448b3..62298b8eb 100644 --- a/app/Controller/ObjectTemplateElementsController.php +++ b/app/Controller/ObjectTemplateElementsController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class ObjectTemplateElementsController extends AppController { - public $components = array('Security' ,'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 60, diff --git a/app/Controller/ObjectTemplatesController.php b/app/Controller/ObjectTemplatesController.php index a2a078045..1f541dd82 100644 --- a/app/Controller/ObjectTemplatesController.php +++ b/app/Controller/ObjectTemplatesController.php @@ -6,7 +6,7 @@ App::uses('AppController', 'Controller'); */ class ObjectTemplatesController extends AppController { - public $components = array('Security' ,'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 60, diff --git a/app/Controller/ObjectsController.php b/app/Controller/ObjectsController.php index 1ca8139b2..dd8e789ec 100644 --- a/app/Controller/ObjectsController.php +++ b/app/Controller/ObjectsController.php @@ -10,7 +10,7 @@ class ObjectsController extends AppController { public $uses = 'MispObject'; - public $components = array('Security' ,'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 20, diff --git a/app/Controller/PostsController.php b/app/Controller/PostsController.php index 7be942bed..2d07f3a03 100644 --- a/app/Controller/PostsController.php +++ b/app/Controller/PostsController.php @@ -9,7 +9,6 @@ App::uses('AppController', 'Controller'); class PostsController extends AppController { public $components = array( - 'Security', 'Session', 'RequestHandler' ); diff --git a/app/Controller/RegexpController.php b/app/Controller/RegexpController.php index 93e1a3528..ddf6607de 100644 --- a/app/Controller/RegexpController.php +++ b/app/Controller/RegexpController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class RegexpController extends AppController { - public $components = array('Security', 'RequestHandler', 'AdminCrud'); + public $components = array('RequestHandler', 'AdminCrud'); public $paginate = array( 'limit' => 60, diff --git a/app/Controller/RestClientHistoryController.php b/app/Controller/RestClientHistoryController.php index 5858f90f3..fa84a4bba 100644 --- a/app/Controller/RestClientHistoryController.php +++ b/app/Controller/RestClientHistoryController.php @@ -5,7 +5,6 @@ App::uses('AppController', 'Controller'); class RestClientHistoryController extends AppController { public $components = array( - 'Security', 'AdminCrud', 'RequestHandler' ); diff --git a/app/Controller/RolesController.php b/app/Controller/RolesController.php index c74504f92..5bf73c4ee 100644 --- a/app/Controller/RolesController.php +++ b/app/Controller/RolesController.php @@ -10,7 +10,6 @@ App::uses('AppController', 'Controller'); class RolesController extends AppController { public $components = array( - 'Security', 'Session', 'RequestHandler' ); diff --git a/app/Controller/ServersController.php b/app/Controller/ServersController.php index d320afaa8..7232dfd93 100644 --- a/app/Controller/ServersController.php +++ b/app/Controller/ServersController.php @@ -9,7 +9,7 @@ App::uses('SecurityAudit', 'Tools'); */ class ServersController extends AppController { - public $components = array('Security' ,'RequestHandler'); // XXX ACL component + public $components = array('RequestHandler'); // XXX ACL component public $paginate = array( 'limit' => 60, diff --git a/app/Controller/ShadowAttributesController.php b/app/Controller/ShadowAttributesController.php index 0c34cb134..fa426a7c6 100644 --- a/app/Controller/ShadowAttributesController.php +++ b/app/Controller/ShadowAttributesController.php @@ -9,7 +9,7 @@ App::uses('AttachmentTool', 'Tools'); */ class ShadowAttributesController extends AppController { - public $components = array('Acl', 'Security', 'RequestHandler', 'Email'); + public $components = array('RequestHandler'); public $paginate = array( 'limit' => 60, @@ -20,7 +20,6 @@ class ShadowAttributesController extends AppController { parent::beforeFilter(); $this->set('title_for_layout', 'Proposals'); - $this->Security->validatePost = true; // convert uuid to id if present in the url, and overwrite id field if (isset($this->params->query['uuid'])) { diff --git a/app/Controller/TagCollectionsController.php b/app/Controller/TagCollectionsController.php index cdca7e0fc..527b24bec 100644 --- a/app/Controller/TagCollectionsController.php +++ b/app/Controller/TagCollectionsController.php @@ -8,7 +8,6 @@ App::uses('AppController', 'Controller'); class TagCollectionsController extends AppController { public $components = array( - 'Security', 'AdminCrud', 'RequestHandler' ); diff --git a/app/Controller/TagsController.php b/app/Controller/TagsController.php index 49c79d2b2..1c71dc090 100644 --- a/app/Controller/TagsController.php +++ b/app/Controller/TagsController.php @@ -6,7 +6,7 @@ App::uses('AppController', 'Controller'); */ class TagsController extends AppController { - public $components = array('Security' ,'RequestHandler'); + public $components = array('RequestHandler'); public $paginate = array( 'limit' => 50, diff --git a/app/Controller/TasksController.php b/app/Controller/TasksController.php index 9c02414cb..89062389c 100644 --- a/app/Controller/TasksController.php +++ b/app/Controller/TasksController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class TasksController extends AppController { - public $components = array('Security' ,'RequestHandler', 'Session'); + public $components = array('RequestHandler', 'Session'); public $paginate = array( 'limit' => 20, diff --git a/app/Controller/TemplateElementsController.php b/app/Controller/TemplateElementsController.php index 623499b08..7a0df8314 100644 --- a/app/Controller/TemplateElementsController.php +++ b/app/Controller/TemplateElementsController.php @@ -4,7 +4,7 @@ App::uses('AppController', 'Controller'); class TemplateElementsController extends AppController { - public $components = array('Security' ,'RequestHandler'); + public $components = array('RequestHandler'); public $paginate = array( 'limit' => 50, diff --git a/app/Controller/TemplatesController.php b/app/Controller/TemplatesController.php index 33d0f1ad7..2ea4e9108 100644 --- a/app/Controller/TemplatesController.php +++ b/app/Controller/TemplatesController.php @@ -6,7 +6,7 @@ App::uses('File', 'Utility'); class TemplatesController extends AppController { - public $components = array('Security' ,'RequestHandler', 'CRUD'); + public $components = array('RequestHandler', 'CRUD'); public $paginate = array( 'limit' => 50, diff --git a/app/Controller/ThreadsController.php b/app/Controller/ThreadsController.php index befe0fcbe..55c414b7a 100644 --- a/app/Controller/ThreadsController.php +++ b/app/Controller/ThreadsController.php @@ -7,7 +7,6 @@ App::uses('AppController', 'Controller'); class ThreadsController extends AppController { public $components = array( - 'Security', 'RequestHandler', 'Session', ); diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php index 8eb081912..12e619464 100644 --- a/app/Controller/UsersController.php +++ b/app/Controller/UsersController.php @@ -9,9 +9,7 @@ class UsersController extends AppController public $newkey; public $components = array( - 'Security', - 'Email', - 'RequestHandler' + 'RequestHandler' ); public $paginate = array( diff --git a/app/Lib/Tools/DistributionGraphTool.php b/app/Lib/Tools/DistributionGraphTool.php index edcd34fb4..0ecdc13b3 100644 --- a/app/Lib/Tools/DistributionGraphTool.php +++ b/app/Lib/Tools/DistributionGraphTool.php @@ -11,7 +11,7 @@ class DistributionGraphTool /** @var array */ private $__serverList; - public function construct(Event $eventModel, array $servers, array $user, $extended_view=0) + public function __construct(Event $eventModel, array $servers, array $user, $extended_view=0) { $this->__eventModel = $eventModel; $this->__serverList = $servers; @@ -33,8 +33,6 @@ class DistributionGraphTool ]; } $this->__json['distributionInfo'][5] = ""; // inherit event. Will be deleted afterward - - return true; } private function __fetchAndAddDistributionInfo($elem)