iglocska
61d4d36705
fix: [security] stored XSS in the user add/edit forms
...
- a malicious site administrator could store an XSS payload in the custom auth name which would be executed each time the administrator modifies a user
- as reported by Ianis BERNARD - NATO Cyber Security Centre
2022-03-17 14:10:09 +01:00
Jakub Onderka
f208c656ea
chg: [cryptograhicKey] Simplified code for event pushing
2022-03-17 13:58:25 +01:00
Alexandre Dulaunoy
ca036781ca
chg: [taxonomies] updated to the latest version
2022-03-17 13:43:29 +01:00
Alexandre Dulaunoy
b365be8e36
chg: [misp-galaxy] updated
2022-03-17 13:42:40 +01:00
iglocska
dc63cb772c
Merge branch '2.4' into develop
2022-03-17 13:25:05 +01:00
Sami Mokaddem
9307a07760
fix: [events:edit] Correctly collects saved cryptographic keys when pushing an edit
2022-03-17 12:38:19 +01:00
Sami Mokaddem
b92d8ddb8f
chg: [events:index] Check for not empty instead
2022-03-17 11:50:49 +01:00
Sami Mokaddem
188153ffe9
chg: [events] Typo in protected description
2022-03-17 11:50:06 +01:00
Alexandre Dulaunoy
bcf8e49654
chg: [misp-objects] updated to the latest version
2022-03-17 10:27:36 +01:00
Jakub Onderka
72b8daa7a5
Merge pull request #8213 from JakubOnderka/oidc_undefined_index
...
fix: [oidc] Undefined index
2022-03-17 09:57:09 +01:00
Jakub Onderka
ff39069bbc
fix: [oidc] Undefined index
2022-03-17 09:29:02 +01:00
Alexandre Dulaunoy
a0e6be2cdd
chg: [PyMISP] updated
2022-03-17 09:25:27 +01:00
iglocska
26ea06f2d9
fix: [gpg key] handle the lack of an instance key more gracefully
2022-03-17 02:31:45 +01:00
iglocska
47a997363c
chg: [CI] make the tests happy
...
- trailing comma after the last parameter in a function is not allowed in some PHP versions
2022-03-17 02:09:22 +01:00
iglocska
a63a628a1a
fix: [cryptograhicKey] instance key fingreprint caching fixed
2022-03-17 01:44:58 +01:00
iglocska
20fffac92b
chg: [signing validation] re-added to the new ServerSyncTool
2022-03-17 01:44:33 +01:00
iglocska
e8dcb31623
Merge branch 'feature/protected_mode' into develop
2022-03-17 01:43:44 +01:00
iglocska
8ea0b2cb56
chg: [unused endpoint] removed
2022-03-17 00:57:41 +01:00
iglocska
f8957cd62e
new: [instance key ingestion] added caching
...
- cache the fingerprint of the instance for 5 minutes
- avoid an unnecesary overhead by caching the value for 5 minutes
2022-03-17 00:53:02 +01:00
iglocska
17adbc26ae
chg: [signing validation] fixes
...
- correctly handle edits in regards to tamper proofing events
- handle an edge case of missing organisation data loaded for displaying if an event is removed by failing the validation
2022-03-17 00:47:06 +01:00
iglocska
f8efe5a01e
chg: [event view] added more information about the protected event status
2022-03-17 00:46:23 +01:00
iglocska
0ceeaf5242
new: [single view factory] added key_info constructor key for meta fields
...
- will display a font awesome info icon with a configurable title text
2022-03-17 00:45:11 +01:00
iglocska
57199cabd8
new: [protected event field] in the event view
...
- added tooltips with explanations
- added a warning if the instance's signing key is not included
2022-03-17 00:44:07 +01:00
iglocska
2263f4b194
chg: [event index] include a lock sign for protected events
2022-03-17 00:43:27 +01:00
iglocska
8eff854fce
fix: [signing validation] use the existing event rather than the incoming event for edits
...
- the ground truth for allowing edits is in the LOCAL version of the event
- prevents tampering attempts
- also cleanup of repetive file upload code
2022-03-17 00:41:55 +01:00
iglocska
259a19a374
fix: [sync] removed newly added locked field as a sanitized sync field
...
- ends up creating unlocked events on the remote, preventing future edits
2022-03-16 15:36:58 +01:00
iglocska
d49eca93ea
Merge branch 'feature/protected_mode' of github.com:MISP/MISP into feature/protected_mode
2022-03-16 01:34:19 +01:00
iglocska
d431ee2d31
new: [pull] added protected mode checks and calling the validation functions if a protected event is found
...
- also removed leftover breakpoints
2022-03-16 01:32:01 +01:00
iglocska
828a07a128
chg: [cryptographicKey] - load and initialise gpg on class construction
2022-03-16 01:31:16 +01:00
iglocska
f6b5c7b7e3
chg: [gpgtool] validateGpgKey now also imports the key
2022-03-16 01:29:44 +01:00
iglocska
ab54f9cbfd
fix: [ACL] event protect/unprotect received ACL checks
2022-03-16 01:28:59 +01:00
iglocska
4f706aa331
fix: [ACL] Cryptokey add / delete key from parent received ACL checks
2022-03-16 01:28:09 +01:00
iglocska
9e90513881
new: [CRUD] delete - added the beforeDelete hook
2022-03-16 01:27:42 +01:00
iglocska
29ea45b4fd
chg: [ACL] added the cryptographicKeys functions
2022-03-16 01:27:11 +01:00
iglocska
5cd07f6ff0
fix: [warning] merge fixes
2022-03-15 23:51:43 +01:00
iglocska
c33230c2cd
Merge branch '2.4' into feature/protected_mode
2022-03-15 23:49:06 +01:00
iglocska
d60e8a39a1
Merge branch 'feature/protected_mode' of github.com:MISP/MISP into feature/protected_mode
2022-03-15 23:11:19 +01:00
iglocska
3122974853
chg: [pull] signing validation WiP
2022-03-15 23:10:51 +01:00
iglocska
f592053f5a
fix: [event] include the protected field in the saving to allow syncing of protected events
2022-03-15 23:10:09 +01:00
iglocska
7f7d5f0f0c
chg: [version] bump
2022-03-15 23:09:27 +01:00
iglocska
26de0a8b0c
new: [events] index and view signing checks added
...
- exclude events that can't be signed with a valid key as required by the event from the index for automaticTools (MISP + PyMISP)
- sign the data only for automaticTools (MISP + PyMISP)
2022-03-15 22:59:52 +01:00
iglocska
f4fbc62aae
fix: [cryptographicKey] various fixes
...
- typoes fixed
- take parent ID from the local ID rather than the synced one
2022-03-15 22:58:09 +01:00
iglocska
7c3181837b
fix: [eventwarning] path fixed
...
- as spotted by @chrisr3d
2022-03-15 12:54:55 +01:00
Jakub Onderka
2e73166747
Merge pull request #8208 from JakubOnderka/oidc-empty-email
...
fix: [oidc] Throw exception if user email is empty
2022-03-15 10:38:44 +01:00
Jakub Onderka
0783bda85b
fix: [oidc] Specify correct column for user fetch
2022-03-15 10:20:43 +01:00
Jakub Onderka
b69c2c4918
fix: [php] Support for PHP 7.2
2022-03-15 10:20:43 +01:00
Jakub Onderka
3c8d07ca75
fix: [oidc] Throw exception if user email is empty
2022-03-15 09:55:50 +01:00
iglocska
98754783f6
Merge branch '2.4' of github.com:MISP/MISP into 2.4
2022-03-15 09:31:50 +01:00
iglocska
364eaa50c2
new: [event warnings] made modular
...
- app/Lib/EventWarning contains default warnings
- app/Lib/EventWarning/Custom can be used to just drop event warnings
- use app/Lib/EventWarning/DefaultWarning as a template
2022-03-15 09:30:56 +01:00
iglocska
e5c7e50fcf
fix: [internal] event rearranging before push fixed
...
- some elements were at a misaligned level in the array
2022-03-15 07:16:19 +01:00