MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
16,804 Commits
35 Branches
366 Tags
190 MiB
Commit Graph

590 Commits (3c8b9c0fe4986f4ad6af2413c85069e22f0568da)

Author SHA1 Message Date
Jakub Onderka 1993f2235c chg: [internal] Do not load notifications for ajax requests 2020-10-19 17:28:52 +02:00
Raphaël Vinot e14192ccf6 Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-10-16 13:18:16 +02:00
Raphaël Vinot 5527c24d92 chg: Bump PyMISP 2020-10-16 13:17:04 +02:00
Jakub Onderka 0e80b9f498 fix: [freetext] Do not load event page twice when saving freetext 2020-10-11 12:36:00 +02:00
mokaddem 40b3259b7a
fix: [decayingModelSimulation] Correctly extract part of atomic tags 2020-10-06 14:18:05 +02:00
Jakub Onderka 3be0ab9169 chg: [internal] Use ACLComponent for menu item permission 2020-10-03 16:12:44 +02:00
mokaddem 6bcde44950
chg: bumped queryversion 2020-09-28 10:32:14 +02:00
mokaddem 1287b18106
chg: [queryversion] Bumped 2020-09-15 14:07:41 +02:00
Raphaël Vinot 1684478091 chg: [PyMISP] Bump version 2020-09-08 12:47:30 +02:00
Sami Mokaddem 775514ccf8
chg: Bumped queryversion 2020-09-03 16:41:26 +02:00
Golbark 3fb47d1cce chg: [internal] Using blocklist instead of blacklist 2020-09-01 16:27:36 +02:00
iglocska 704378c919
fix: [JS] broken URLs due to the baseurl refactor 
- no need to prepend URLs taken from the forms themselves directly.
 2020-08-24 17:20:57 +02:00
iglocska 242d25d5e4
chg: [API] GET requests on restsearch with no parameters are no longer allowed. 
- warn the user of the use of GET queries with posted JSON bodies
 2020-08-24 09:04:30 +02:00
Raphaël Vinot db55589512 chg: [PyMISP] Bump tag 2020-08-20 13:04:44 +02:00
Jakub Onderka b6116098c0 fix: [security] Throw exception if invalid data provided 2020-08-05 12:39:11 +02:00
Jakub Onderka 67a9d612d5 fix: [security] ACL check when adding or removing tags 2020-08-04 12:23:41 +02:00
Jakub Onderka db626cf741 fix: [security] Respect ACL when event edit 2020-08-04 12:21:42 +02:00
mokaddem 94aa68c8b4
chg: Bumped queryversion 2020-07-31 13:30:17 +02:00
iglocska bf4610c947
fix: [security] setting a favourite homepage was not CSRF protected 
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled

- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
 2020-07-13 12:19:11 +02:00
Raphaël Vinot 688585b323 chg: [PyMISP] Bump 2020-06-22 14:34:49 +02:00
Raphaël Vinot 5a512063a3 chg: [PyMISP] Bump 2020-06-16 14:30:23 +02:00
Jakub Onderka 8c13330712 fix: [internal] Check if user is logged before checking if he is site admin 2020-05-19 17:11:39 +02:00
Jakub Onderka df1ed1badf fix: [internal] Set notifications count and loggedInUserName just for logged users 2020-05-19 17:10:53 +02:00
Raphaël Vinot b8f0574f71 chg: Bump PyMISP 2020-05-18 12:38:25 +02:00
iglocska c8e9fa1c76
chg: [roles] allow the creation site admin enabled roles without auth access 2020-05-06 14:53:11 +02:00
iglocska f278407e91
chg: [VERSION] bump 2020-04-30 11:50:22 +02:00
iglocska e9c00cb1b4
fix: [otp] pre-auth action list only expanded if otp is enabled 2020-04-29 15:55:22 +02:00
iglocska 6ec8391e46
Merge branch '5726' into 2.4 2020-04-29 15:50:01 +02:00
Andras Iklody f30959f274
Merge pull request #5561 from JakubOnderka/is_rest_cache 
chg: [internal] Cache result of AppController::_isRest method
 2020-04-28 15:46:24 +02:00
iglocska 03c866fe4e
fix: [registrations] Users can now register using the API without a valid key, affects #5783 2020-04-24 11:39:59 +02:00
iglocska 45e42ca84f
new: [privacy] filter added for the authkeys in the admin section to make giving trainings easier 2020-04-21 08:09:26 +02:00
Golbark 93ba84fd02 Hook into native authentication flow instead of beforefilter 
which prevents any after-auth bypass and rely on framework
session management.
 2020-04-20 12:24:47 +02:00
Golbark 3436bc6ae5 Merge branch '2.4' into email-otp-implementation 
Conflicts:
	app/Model/Server.php
 2020-04-20 12:16:25 +02:00
iglocska 078bf123a1
chg: [ACL] added the feed data reload 2020-04-17 14:23:34 +02:00
iglocska 10ab82f830
new: [UI Helper] DataPathCollector helper added 
- helps the index factory fields retrieve data from the currently processed object based on a set of paths
 2020-04-17 14:13:15 +02:00
iglocska 3fa5c3f370
fix: [database] added missing file 2020-04-14 15:17:15 +02:00
iglocska 4ebc0a7988
new: [inbox] system added 
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
  - request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
  - they can accept/discard them individually or en masse
  - users will be notified of their credentials automatically
  - quick user creation if the user asks for an org that doesn't exist yet
 2020-04-07 13:21:01 +02:00
Golbark d254d04365 Rely on session_id instead of user_id and address minor comments 2020-03-26 02:55:14 -07:00
Golbark 309bbc6814 new: usr: Implementation of email-based OTP 2020-03-25 07:45:09 -07:00
iglocska d7e3674987
new: [audit] Added user monitoring 
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies

- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
 2020-03-25 11:49:33 +01:00
Raphaël Vinot 8beec4e383 chg: Bump PyMISP 2020-03-10 14:31:31 +01:00
iglocska f1faa7845f
fix: [dashboard] grid scope fix 2020-03-10 11:34:30 +01:00
mokaddem 431ccc6a04
chg: [response header] Added `X-XSS-Protection` header 
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
 2020-03-06 16:06:35 +01:00
iglocska a40c227ca4
chg: [querystring] bumped 2020-03-02 23:14:55 +01:00
iglocska 0d4df7c98b
new: [Dashboard] system 
- Dashboard
  - modular similar to restSearch
  - build your own widgets
  - use a set of visualisation options (more coming!)
  - full access to internal functions for queries
  - auto discover core and 3rd party widgets
  - rearrange / configure widgets for each user individually
  - rearrange / resize widgets
  - settings can be configured by a site-admin on behalf of others
  - modules have a self-explain mode to guide users
  - caching mechanism for the modules / org

- set homepage / user
- various other fixes
 2020-03-01 18:05:21 +01:00
iglocska 4bfcc3211b
new: [API] object level restSearch added 
still WiP
 2020-02-29 08:57:32 +01:00
iglocska 08e0e9d16d
chg: [version] bump 2020-02-26 16:13:12 +01:00
iglocska c310b30177
fix: [custom auth] correctly use HTTP_ as the default header namespace 2020-02-23 19:13:48 +01:00
iglocska 363d0cd69a
new: [logging] Log user IPs on login 
- feature is optional and needs to be enabled in the server settings
- on successful login logs the associated user ID for a given IP (30 day retention)
- also logs the IP for the associated user ID (indefinite retention)
- added two command line tools to query
  - Get IPs For User ID: MISP/app/Console/cake Admin UserIP [user_id]
  - Get User ID For User IP: MISP/app/Console/cake Admin IPUser [ip]
 2020-02-20 16:07:10 +01:00
iglocska 88894fc2e5
chg: [version] bump 2020-02-10 16:22:03 +01:00