MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
23,077 Commits
35 Branches
366 Tags
190 MiB
Commit Graph

769 Commits (8a1e7c0164b4a5b4a5426eaeadc936015386d1ec)

Author SHA1 Message Date
Jakub Onderka 62537961f0 fix: [internal] Undefined index when importing from module 2021-03-02 14:44:41 +01:00
Jakub Onderka 98ec79db60 chg: [internal] Set cookie name just when no name is set 2021-03-01 17:22:39 +01:00
Jakub Onderka 8a3144f112 new: [security] Content-Security-Policy support 2021-02-26 13:21:00 +01:00
iglocska bf0bc494b2
Merge branch '2.4' into develop 2021-02-19 19:43:14 +01:00
iglocska 5654b536bd
fix: [caching] monkey-patching a client side MISP bug causing the caching to loop endlessly 
- MISP caching can run into an endless loop if errors are returned for whatever reason
- This patch handles the specific case when the remote MISP requests an attribute range for caching that has an offset beyond the highest ID (should never happen)

- It's a dirty fix but should have nearly no impact on performance whilst resolving the issue
 2021-02-19 19:41:12 +01:00
mokaddem 487253b712
Merge branch 'develop' of github.com:MISP/MISP into develop 2021-02-19 09:01:26 +01:00
mokaddem 8d9d0e6411
fix: [restClient] Make sure to split value on strings 
Fix #7032
 2021-02-19 09:00:45 +01:00
Jakub Onderka 412d9dba1d
Merge pull request #6906 from JakubOnderka/compressed-requests 
new: [sync] Compressed requests support
 2021-02-18 18:03:11 +01:00
mokaddem 37a724ddf3
fix: [events] Attach cluster from matrix in multiselect. Fix #6956 2021-02-15 15:05:23 +01:00
mokaddem 43db6029db
fix: [eventTimeline] Refrsh attribute index when dragging. Fix #6958 2021-02-15 14:21:32 +01:00
iglocska bf8bd21a35
chg: [connection test] clarified that read only users can pull. 
- Reduced error level to "orange"
- Added a clarification that they can still pull
 2021-02-11 17:46:32 +01:00
Raphaël Vinot 7f85db254c chg: Bump PyMISP & version 2021-02-08 12:09:07 +01:00
iglocska 8f1dd15601
new: [PHP] version notification 
- 8.0 is not supported, let users know in a more obvious way
 2021-01-28 13:09:07 +01:00
mokaddem afe9d26e8a
chg: bumped queryversion 2021-01-25 13:43:36 +01:00
mokaddem d72b626839
chg: bumped queryversion 2021-01-22 14:49:04 +01:00
iglocska a8688501c3
fix: [diagnostics] complain about PHP >= 8.0 2021-01-22 11:55:35 +01:00
Raphaël Vinot 0d9e95679c chg: Bump PyMISP version 2021-01-20 12:58:56 +01:00
Jakub Onderka 69f901110a new: [sync] Compressed requests support 2021-01-19 17:59:08 +01:00
iglocska 3d5c9fb9a6
Merge branch 'develop' of github.com:MISP/MISP into develop 2021-01-05 08:42:47 +01:00
iglocska 44e792617c
fix: [search] don't append the same quicksearch value more than once in the URL 2021-01-05 08:40:37 +01:00
Jakub Onderka ef3d77a4fe chg: [optimisation] Decode JSON input from request just once 2021-01-01 22:17:57 +01:00
Jakub Onderka 1a184ebbb5 new: [internal] Allow to output directly TmpFileTool 2020-12-21 21:02:37 +01:00
Jakub Onderka c7f00b319f fix: [UI] Move debug mode variable before setting database connection 2020-12-17 13:50:26 +01:00
Jakub Onderka 324cdbafce chg: [REST] Close session early for `authkey_keep_session` connections 2020-12-17 13:50:26 +01:00
Jakub Onderka ae5ad7cc36 fix: [monitoring] Do not encode payload, it is string 2020-12-17 13:50:25 +01:00
Jakub Onderka 197b1a341a chg: [internal] Code cleanup 2020-12-17 13:50:25 +01:00
Jakub Onderka c0f6463d57 new: [security] Cancel API session right after auth key is deleted 2020-12-17 13:50:25 +01:00
Jakub Onderka 640e9492d7 new: [security] Put information about key expiration into response header 2020-12-17 13:50:25 +01:00
Jakub Onderka 8df77748b0 chg: [internal] Small optimisations 2020-12-17 13:50:25 +01:00
Jakub Onderka d92123c915 fix: [security] Do not allow to use API key authenticated session to do non API calls 2020-12-17 13:50:25 +01:00
Jakub Onderka 9896f67358 new: [security] New setting Security.username_in_response_header 2020-12-17 13:50:25 +01:00
Jakub Onderka feab5f553b chg: [interna] AppController code cleanup 2020-12-17 13:50:23 +01:00
Jakub Onderka 4c6ffc6985 chg: [internal] Rename MISP.log_user_ips_auth -> MISP.log_user_ips_authkeys 2020-12-17 13:49:32 +01:00
Jakub Onderka 8662a7efaf chg: [internal] Move access monitoring to own method 2020-12-17 13:49:32 +01:00
Jakub Onderka ee8a495d89 new: [internal] Show auth key usage in key view page 2020-12-17 13:49:32 +01:00
Jakub Onderka c6bf9de3ca fix: [internal] Remove unused variables 2020-12-17 13:49:32 +01:00
Jakub Onderka 6821556000 chg: [internal] Allow to reuse session for API requests 2020-12-17 13:49:32 +01:00
Jakub Onderka e5e855b3c2 new: [internal] Allow to log authkey usage in Redis 2020-12-17 13:49:32 +01:00
Jakub Onderka 6ce13b8168 chg: [internal] Do not log full authkeys 2020-12-17 13:49:32 +01:00
Jakub Onderka a0fb186a3c chg: [internal] Simplify User::describeAuthFields 2020-12-17 13:49:32 +01:00
Jakub Onderka d0ec184796 fix: [internal] Remove unused $user siteadmin variable 2020-12-17 13:49:32 +01:00
Jakub Onderka 49b85ed33c chg: [internal] Load just necessary info when loading homepage info 2020-12-17 13:49:32 +01:00
Jakub Onderka 18402c0489 chg: [internal] Load user role info from session data 2020-12-17 13:49:32 +01:00
Jakub Onderka 7f0d06ae4d chg: [internal] Move user checks to one place 2020-12-17 13:49:32 +01:00
Jakub Onderka becbf95c37 new: [UI] Download GPG public key from GPG homedir 2020-12-17 13:19:55 +01:00
iglocska a332e1379c
Merge branch '2.4' into cerebrate 2020-11-30 23:49:40 +01:00
iglocska 320191bbd8
chg: [querystring] bump 2020-11-30 23:46:37 +01:00
Jakub Onderka 2c7d6e4466 new: [auth] Allow to enforce auth plugin authentication 2020-11-30 14:46:36 +01:00
Jakub Onderka 165da72fdf fix: [internal] Remove unused method from AppController 2020-11-27 09:01:35 +01:00
Jakub Onderka e15ca97f33
Merge pull request #6081 from JakubOnderka/security_disable_browser_cache 
new: [security] HTTP headers hardening
 2020-11-24 21:00:02 +01:00
Raphaël Vinot 7dab02b1e5 chg: [PyMISP] Bump version 2020-11-23 10:07:11 +01:00
mokaddem e45174f83c
fix: [appController] Prevent notice for `perm_galaxy_editor` if update is still running 2020-11-19 17:35:30 +01:00
mokaddem 89f307bd07 Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0 2020-11-18 09:22:40 +01:00
Jakub Onderka 12f84b0d69
Merge pull request #6587 from JakubOnderka/authkey-view 
Authkey view permission fix
 2020-11-17 21:25:38 +01:00
mokaddem 9db29821b4
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0 2020-11-16 16:11:17 +01:00
Jakub Onderka c51cd36ac3 fix: [internal] Destroy session just when session is started 2020-11-16 14:58:12 +01:00
Jakub Onderka 000706251b fix: [security] Proper check who can view new authkeys 2020-11-15 18:04:34 +01:00
mokaddem dc65c79130
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0 2020-11-13 16:26:35 +01:00
mokaddem 1879bc05b7
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0 2020-11-12 09:05:12 +01:00
iglocska dbffebe503
Merge branch '2.4' into CRUD 2020-11-11 11:19:23 +01:00
mokaddem 17c793d10f
chg: Bumped queryversion 2020-11-10 13:31:43 +01:00
mokaddem 150b4cb7d1
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0 2020-11-09 10:07:43 +01:00
mokaddem 37072e309f
chg: Bumped queryversion 2020-11-09 09:03:55 +01:00
Jakub Onderka 5d6c1abe3c
Merge pull request #6519 from JakubOnderka/update-login-times 
fix: [internal] Properly set login time for custom auth
 2020-11-07 09:58:54 +01:00
mokaddem 1bf5c599f2
chg: bumped queryversion 2020-11-06 16:36:34 +01:00
iglocska 158036f525
chg: [version] bump 2020-11-02 13:56:08 +01:00
Raphaël Vinot 3b6017a5ed chg: [PyMISP] Bump version 2020-11-02 10:55:59 +01:00
mokaddem 0971e50752
chg: Bumped queryversion 2020-10-29 19:26:57 +01:00
Jakub Onderka 5a4ba9cbc1 fix: [internal] Properly set login times for custom auth 2020-10-29 17:53:11 +01:00
iglocska 62bbc95472
Merge branch '2.4' into CRUD 2020-10-20 02:01:21 +02:00
iglocska 68f2425af1
chg: [authkey] system tied into authentication 2020-10-20 01:48:16 +02:00
Jakub Onderka 63ae5c16e0 new: [security] New setting to check `Sec-Fetch-Site` header 2020-10-19 19:24:09 +02:00
Jakub Onderka 1993f2235c chg: [internal] Do not load notifications for ajax requests 2020-10-19 17:28:52 +02:00
Jakub Onderka 5e12063620 new: [security] Add new `Security.disable_browser_cache` option to disable saving data to browser cache 2020-10-18 18:53:57 +02:00
Raphaël Vinot e14192ccf6 Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-10-16 13:18:16 +02:00
Raphaël Vinot 5527c24d92 chg: Bump PyMISP 2020-10-16 13:17:04 +02:00
Jakub Onderka 0e80b9f498 fix: [freetext] Do not load event page twice when saving freetext 2020-10-11 12:36:00 +02:00
mokaddem 40b3259b7a
fix: [decayingModelSimulation] Correctly extract part of atomic tags 2020-10-06 14:18:05 +02:00
Jakub Onderka 3be0ab9169 chg: [internal] Use ACLComponent for menu item permission 2020-10-03 16:12:44 +02:00
mokaddem 6bcde44950
chg: bumped queryversion 2020-09-28 10:32:14 +02:00
mokaddem eb84b3344f
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0 2020-09-22 12:08:12 +02:00
mokaddem 1287b18106
chg: [queryversion] Bumped 2020-09-15 14:07:41 +02:00
Raphaël Vinot 1684478091 chg: [PyMISP] Bump version 2020-09-08 12:47:30 +02:00
Sami Mokaddem 775514ccf8
chg: Bumped queryversion 2020-09-03 16:41:26 +02:00
Golbark 3fb47d1cce chg: [internal] Using blocklist instead of blacklist 2020-09-01 16:27:36 +02:00
iglocska 704378c919
fix: [JS] broken URLs due to the baseurl refactor 
- no need to prepend URLs taken from the forms themselves directly.
 2020-08-24 17:20:57 +02:00
iglocska 242d25d5e4
chg: [API] GET requests on restsearch with no parameters are no longer allowed. 
- warn the user of the use of GET queries with posted JSON bodies
 2020-08-24 09:04:30 +02:00
Raphaël Vinot db55589512 chg: [PyMISP] Bump tag 2020-08-20 13:04:44 +02:00
Jakub Onderka b6116098c0 fix: [security] Throw exception if invalid data provided 2020-08-05 12:39:11 +02:00
Jakub Onderka 67a9d612d5 fix: [security] ACL check when adding or removing tags 2020-08-04 12:23:41 +02:00
Jakub Onderka db626cf741 fix: [security] Respect ACL when event edit 2020-08-04 12:21:42 +02:00
mokaddem 94aa68c8b4
chg: Bumped queryversion 2020-07-31 13:30:17 +02:00
mokaddem b3dbecb318
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0 2020-07-14 16:25:04 +02:00
iglocska bf4610c947
fix: [security] setting a favourite homepage was not CSRF protected 
- a user could be lured into setting a MISP home-page outside of the MISP baseurl
- switched the endpoint to be CSRF protection enabled

- as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>
 2020-07-13 12:19:11 +02:00
mokaddem f3a9481c61
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0 2020-07-01 16:22:55 +02:00
Raphaël Vinot 688585b323 chg: [PyMISP] Bump 2020-06-22 14:34:49 +02:00
Raphaël Vinot 5a512063a3 chg: [PyMISP] Bump 2020-06-16 14:30:23 +02:00
mokaddem 5c04b9a8c1
Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0 2020-05-28 14:06:30 +02:00
Jakub Onderka 8c13330712 fix: [internal] Check if user is logged before checking if he is site admin 2020-05-19 17:11:39 +02:00
Jakub Onderka df1ed1badf fix: [internal] Set notifications count and loggedInUserName just for logged users 2020-05-19 17:10:53 +02:00
Raphaël Vinot b8f0574f71 chg: Bump PyMISP 2020-05-18 12:38:25 +02:00
iglocska c8e9fa1c76
chg: [roles] allow the creation site admin enabled roles without auth access 2020-05-06 14:53:11 +02:00
iglocska f278407e91
chg: [VERSION] bump 2020-04-30 11:50:22 +02:00
iglocska e9c00cb1b4
fix: [otp] pre-auth action list only expanded if otp is enabled 2020-04-29 15:55:22 +02:00
iglocska 6ec8391e46
Merge branch '5726' into 2.4 2020-04-29 15:50:01 +02:00
Andras Iklody f30959f274
Merge pull request #5561 from JakubOnderka/is_rest_cache 
chg: [internal] Cache result of AppController::_isRest method
 2020-04-28 15:46:24 +02:00
iglocska 03c866fe4e
fix: [registrations] Users can now register using the API without a valid key, affects #5783 2020-04-24 11:39:59 +02:00
iglocska 45e42ca84f
new: [privacy] filter added for the authkeys in the admin section to make giving trainings easier 2020-04-21 08:09:26 +02:00
Golbark 93ba84fd02 Hook into native authentication flow instead of beforefilter 
which prevents any after-auth bypass and rely on framework
session management.
 2020-04-20 12:24:47 +02:00
Golbark 3436bc6ae5 Merge branch '2.4' into email-otp-implementation 
Conflicts:
	app/Model/Server.php
 2020-04-20 12:16:25 +02:00
iglocska 078bf123a1
chg: [ACL] added the feed data reload 2020-04-17 14:23:34 +02:00
iglocska 10ab82f830
new: [UI Helper] DataPathCollector helper added 
- helps the index factory fields retrieve data from the currently processed object based on a set of paths
 2020-04-17 14:13:15 +02:00
iglocska 3fa5c3f370
fix: [database] added missing file 2020-04-14 15:17:15 +02:00
mokaddem dd1be03597
Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0 2020-04-09 14:26:48 +02:00
iglocska 4ebc0a7988
new: [inbox] system added 
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
  - request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
  - they can accept/discard them individually or en masse
  - users will be notified of their credentials automatically
  - quick user creation if the user asks for an org that doesn't exist yet
 2020-04-07 13:21:01 +02:00
Golbark d254d04365 Rely on session_id instead of user_id and address minor comments 2020-03-26 02:55:14 -07:00
Golbark 309bbc6814 new: usr: Implementation of email-based OTP 2020-03-25 07:45:09 -07:00
iglocska d7e3674987
new: [audit] Added user monitoring 
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies

- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
 2020-03-25 11:49:33 +01:00
mokaddem 04dcdebb1f
new: [galaxyCluster] Initial import of Galaxy2.0 codebase - WiP 2020-03-12 10:26:09 +01:00
Raphaël Vinot 8beec4e383 chg: Bump PyMISP 2020-03-10 14:31:31 +01:00
iglocska f1faa7845f
fix: [dashboard] grid scope fix 2020-03-10 11:34:30 +01:00
mokaddem 431ccc6a04
chg: [response header] Added `X-XSS-Protection` header 
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
 2020-03-06 16:06:35 +01:00
iglocska a40c227ca4
chg: [querystring] bumped 2020-03-02 23:14:55 +01:00
iglocska 0d4df7c98b
new: [Dashboard] system 
- Dashboard
  - modular similar to restSearch
  - build your own widgets
  - use a set of visualisation options (more coming!)
  - full access to internal functions for queries
  - auto discover core and 3rd party widgets
  - rearrange / configure widgets for each user individually
  - rearrange / resize widgets
  - settings can be configured by a site-admin on behalf of others
  - modules have a self-explain mode to guide users
  - caching mechanism for the modules / org

- set homepage / user
- various other fixes
 2020-03-01 18:05:21 +01:00
iglocska 4bfcc3211b
new: [API] object level restSearch added 
still WiP
 2020-02-29 08:57:32 +01:00
iglocska 08e0e9d16d
chg: [version] bump 2020-02-26 16:13:12 +01:00
iglocska c310b30177
fix: [custom auth] correctly use HTTP_ as the default header namespace 2020-02-23 19:13:48 +01:00
iglocska 363d0cd69a
new: [logging] Log user IPs on login 
- feature is optional and needs to be enabled in the server settings
- on successful login logs the associated user ID for a given IP (30 day retention)
- also logs the IP for the associated user ID (indefinite retention)
- added two command line tools to query
  - Get IPs For User ID: MISP/app/Console/cake Admin UserIP [user_id]
  - Get User ID For User IP: MISP/app/Console/cake Admin IPUser [ip]
 2020-02-20 16:07:10 +01:00
iglocska 88894fc2e5
chg: [version] bump 2020-02-10 16:22:03 +01:00
Jakub Onderka cdf578be4a
fix: [internal] Remove unused line 2020-02-07 17:57:59 +01:00
Raphaël Vinot 6f2005ff60 chg: Bump PyMISP 2020-02-06 10:54:17 +01:00
Jakub Onderka 110eabb08d chg: [internal] Cache result of AppController::_isRest method 2020-01-27 22:02:08 +01:00
Jakub Onderka a3c07277c4 fix: Proper logout when `CustomAuth_custom_logout` is set 2020-01-23 16:46:02 +01:00
mokaddem 60143aba44
chg: [timeline:display_threshold] Increased display threshold 2020-01-20 15:48:26 +01:00
iglocska 3792e4032c
fix: [update] fixed an issue blocking the updates from executing 
- invalid check for the admin role - too early to check for _isSiteAdmin() at that point
 2020-01-20 12:57:12 +01:00
iglocska 8ca5bfd25a
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-01-20 11:57:28 +01:00
iglocska 2ac7ea62da
fix: [internal] upgrade issues fixed 2020-01-20 11:56:50 +01:00
mokaddem 6dc79425dd
chg: [queryVersion] Bumped version 2020-01-20 10:39:50 +01:00
iglocska a577c69118
chg: [versions] requirements for languages changed 2020-01-17 15:14:53 +01:00
Richard van den Berg f79f90a1e4 Return STIX in JSON format when Accept header asks for it 2020-01-06 17:13:49 +01:00
mokaddem 9d77a5b3f9
chg: bumped queryversion 2019-12-04 12:15:56 +01:00
iglocska 8d14250cbf
chg: [VERSION] bump 2019-12-02 09:56:42 +01:00
Raphaël Vinot 183dee34f0 chg: Bump PyMISP 2019-12-02 09:44:15 +01:00
iglocska 1c5afa49ed
new: [refactor] Massive internal refactor and cleanup of deprecated APIs 
- new centralised restSearch function in AppController as entry point via all controllers
- new component handling restSearch related support functions, such as parameter mapping
- hollowed out all deprecated export functions on the event/attribute controller
  - replaced with a new functionality that remaps them to restSearch
  - all functionality should be maintained with all additional advantages introduced with restsearch
- additional cleanup (some unused functions removed)
 2019-11-29 10:11:30 +01:00
iglocska 26459f1b63
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2019-11-26 19:04:34 +01:00
iglocska e7173e2ee4
new: [legacy] handler added for Legacy APIs 
- allows for a remap of the parameters and subsequent calls to modern functions
 2019-11-26 19:01:22 +01:00
iglocska 9e74259bdb
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2019-11-26 17:11:56 +01:00
iglocska cbbe2b3a30
chg: [CSRF] disable CSRF if you absolutely feel like setting yourself up for failure 2019-11-26 17:11:33 +01:00
iglocska a1dcfb1931
new: [deprecation] Added a new library to handle deprecations 
- send X-Deprecation-Warning via the API
- set new Warning flash messages via the UI
- counting the use of these functionalities / API endpoint and / user
  - added a diagnsitic tool to view the outcome of the collection
  - sharing of these collections with the MISP-Project will be optionally available in the future

- two modes of operation:
  - hard deprecation (functions certainly to be removed, reported to the users via API/UI)
  - soft deprecation (gauging interest for the continued use of these functions)
 2019-11-20 15:30:06 +01:00
iglocska 0c15043cfa
new: [sync] view remote user tool added to the server index 
- should help with debugging what user is being used
 2019-11-13 19:09:37 +01:00