MISP/MISP - MISP - Open Cloud Git

Commit Graph

Author	SHA1	Message	Date
Jakub Onderka	640e9492d7	new: [security] Put information about key expiration into response header	2020-12-17 13:50:25 +01:00
Jakub Onderka	8df77748b0	chg: [internal] Small optimisations	2020-12-17 13:50:25 +01:00
Jakub Onderka	d92123c915	fix: [security] Do not allow to use API key authenticated session to do non API calls	2020-12-17 13:50:25 +01:00
Jakub Onderka	9896f67358	new: [security] New setting Security.username_in_response_header	2020-12-17 13:50:25 +01:00
Jakub Onderka	feab5f553b	chg: [interna] AppController code cleanup	2020-12-17 13:50:23 +01:00
Jakub Onderka	4c6ffc6985	chg: [internal] Rename MISP.log_user_ips_auth -> MISP.log_user_ips_authkeys	2020-12-17 13:49:32 +01:00
Jakub Onderka	8662a7efaf	chg: [internal] Move access monitoring to own method	2020-12-17 13:49:32 +01:00
Jakub Onderka	ee8a495d89	new: [internal] Show auth key usage in key view page	2020-12-17 13:49:32 +01:00
Jakub Onderka	c6bf9de3ca	fix: [internal] Remove unused variables	2020-12-17 13:49:32 +01:00
Jakub Onderka	6821556000	chg: [internal] Allow to reuse session for API requests	2020-12-17 13:49:32 +01:00
Jakub Onderka	e5e855b3c2	new: [internal] Allow to log authkey usage in Redis	2020-12-17 13:49:32 +01:00
Jakub Onderka	6ce13b8168	chg: [internal] Do not log full authkeys	2020-12-17 13:49:32 +01:00
Jakub Onderka	a0fb186a3c	chg: [internal] Simplify User::describeAuthFields	2020-12-17 13:49:32 +01:00
Jakub Onderka	d0ec184796	fix: [internal] Remove unused $user siteadmin variable	2020-12-17 13:49:32 +01:00
Jakub Onderka	49b85ed33c	chg: [internal] Load just necessary info when loading homepage info	2020-12-17 13:49:32 +01:00
Jakub Onderka	18402c0489	chg: [internal] Load user role info from session data	2020-12-17 13:49:32 +01:00
Jakub Onderka	7f0d06ae4d	chg: [internal] Move user checks to one place	2020-12-17 13:49:32 +01:00
Jakub Onderka	becbf95c37	new: [UI] Download GPG public key from GPG homedir	2020-12-17 13:19:55 +01:00
iglocska	a332e1379c	Merge branch '2.4' into cerebrate	2020-11-30 23:49:40 +01:00
iglocska	320191bbd8	chg: [querystring] bump	2020-11-30 23:46:37 +01:00
Jakub Onderka	2c7d6e4466	new: [auth] Allow to enforce auth plugin authentication	2020-11-30 14:46:36 +01:00
Jakub Onderka	165da72fdf	fix: [internal] Remove unused method from AppController	2020-11-27 09:01:35 +01:00
Jakub Onderka	e15ca97f33	Merge pull request #6081 from JakubOnderka/security_disable_browser_cache new: [security] HTTP headers hardening	2020-11-24 21:00:02 +01:00
Raphaël Vinot	7dab02b1e5	chg: [PyMISP] Bump version	2020-11-23 10:07:11 +01:00
mokaddem	e45174f83c	fix: [appController] Prevent notice for `perm_galaxy_editor` if update is still running	2020-11-19 17:35:30 +01:00
mokaddem	89f307bd07	Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0	2020-11-18 09:22:40 +01:00
Jakub Onderka	12f84b0d69	Merge pull request #6587 from JakubOnderka/authkey-view Authkey view permission fix	2020-11-17 21:25:38 +01:00
mokaddem	9db29821b4	Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0	2020-11-16 16:11:17 +01:00
Jakub Onderka	c51cd36ac3	fix: [internal] Destroy session just when session is started	2020-11-16 14:58:12 +01:00
Jakub Onderka	000706251b	fix: [security] Proper check who can view new authkeys	2020-11-15 18:04:34 +01:00
mokaddem	dc65c79130	Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0	2020-11-13 16:26:35 +01:00
mokaddem	1879bc05b7	Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0	2020-11-12 09:05:12 +01:00
iglocska	dbffebe503	Merge branch '2.4' into CRUD	2020-11-11 11:19:23 +01:00
mokaddem	17c793d10f	chg: Bumped queryversion	2020-11-10 13:31:43 +01:00
mokaddem	150b4cb7d1	Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0	2020-11-09 10:07:43 +01:00
mokaddem	37072e309f	chg: Bumped queryversion	2020-11-09 09:03:55 +01:00
Jakub Onderka	5d6c1abe3c	Merge pull request #6519 from JakubOnderka/update-login-times fix: [internal] Properly set login time for custom auth	2020-11-07 09:58:54 +01:00
mokaddem	1bf5c599f2	chg: bumped queryversion	2020-11-06 16:36:34 +01:00
iglocska	158036f525	chg: [version] bump	2020-11-02 13:56:08 +01:00
Raphaël Vinot	3b6017a5ed	chg: [PyMISP] Bump version	2020-11-02 10:55:59 +01:00
mokaddem	0971e50752	chg: Bumped queryversion	2020-10-29 19:26:57 +01:00
Jakub Onderka	5a4ba9cbc1	fix: [internal] Properly set login times for custom auth	2020-10-29 17:53:11 +01:00
iglocska	62bbc95472	Merge branch '2.4' into CRUD	2020-10-20 02:01:21 +02:00
iglocska	68f2425af1	chg: [authkey] system tied into authentication	2020-10-20 01:48:16 +02:00
Jakub Onderka	63ae5c16e0	new: [security] New setting to check `Sec-Fetch-Site` header	2020-10-19 19:24:09 +02:00
Jakub Onderka	1993f2235c	chg: [internal] Do not load notifications for ajax requests	2020-10-19 17:28:52 +02:00
Jakub Onderka	5e12063620	new: [security] Add new `Security.disable_browser_cache` option to disable saving data to browser cache	2020-10-18 18:53:57 +02:00
Raphaël Vinot	e14192ccf6	Merge branch '2.4' of github.com:MISP/MISP into 2.4	2020-10-16 13:18:16 +02:00
Raphaël Vinot	5527c24d92	chg: Bump PyMISP	2020-10-16 13:17:04 +02:00
Jakub Onderka	0e80b9f498	fix: [freetext] Do not load event page twice when saving freetext	2020-10-11 12:36:00 +02:00
mokaddem	40b3259b7a	fix: [decayingModelSimulation] Correctly extract part of atomic tags	2020-10-06 14:18:05 +02:00
Jakub Onderka	3be0ab9169	chg: [internal] Use ACLComponent for menu item permission	2020-10-03 16:12:44 +02:00
mokaddem	6bcde44950	chg: bumped queryversion	2020-09-28 10:32:14 +02:00
mokaddem	eb84b3344f	Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0	2020-09-22 12:08:12 +02:00
mokaddem	1287b18106	chg: [queryversion] Bumped	2020-09-15 14:07:41 +02:00
Raphaël Vinot	1684478091	chg: [PyMISP] Bump version	2020-09-08 12:47:30 +02:00
Sami Mokaddem	775514ccf8	chg: Bumped queryversion	2020-09-03 16:41:26 +02:00
Golbark	3fb47d1cce	chg: [internal] Using blocklist instead of blacklist	2020-09-01 16:27:36 +02:00
iglocska	704378c919	fix: [JS] broken URLs due to the baseurl refactor - no need to prepend URLs taken from the forms themselves directly.	2020-08-24 17:20:57 +02:00
iglocska	242d25d5e4	chg: [API] GET requests on restsearch with no parameters are no longer allowed. - warn the user of the use of GET queries with posted JSON bodies	2020-08-24 09:04:30 +02:00
Raphaël Vinot	db55589512	chg: [PyMISP] Bump tag	2020-08-20 13:04:44 +02:00
Jakub Onderka	b6116098c0	fix: [security] Throw exception if invalid data provided	2020-08-05 12:39:11 +02:00
Jakub Onderka	67a9d612d5	fix: [security] ACL check when adding or removing tags	2020-08-04 12:23:41 +02:00
Jakub Onderka	db626cf741	fix: [security] Respect ACL when event edit	2020-08-04 12:21:42 +02:00
mokaddem	94aa68c8b4	chg: Bumped queryversion	2020-07-31 13:30:17 +02:00
mokaddem	b3dbecb318	Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0	2020-07-14 16:25:04 +02:00
iglocska	bf4610c947	fix: [security] setting a favourite homepage was not CSRF protected - a user could be lured into setting a MISP home-page outside of the MISP baseurl - switched the endpoint to be CSRF protection enabled - as discovered by Mislav Božičević <mislav.bozicevic@nn.cz>	2020-07-13 12:19:11 +02:00
mokaddem	f3a9481c61	Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0	2020-07-01 16:22:55 +02:00
Raphaël Vinot	688585b323	chg: [PyMISP] Bump	2020-06-22 14:34:49 +02:00
Raphaël Vinot	5a512063a3	chg: [PyMISP] Bump	2020-06-16 14:30:23 +02:00
mokaddem	5c04b9a8c1	Merge remote-tracking branch 'origin/2.4' into galaxy-cluster2.0	2020-05-28 14:06:30 +02:00
Jakub Onderka	8c13330712	fix: [internal] Check if user is logged before checking if he is site admin	2020-05-19 17:11:39 +02:00
Jakub Onderka	df1ed1badf	fix: [internal] Set notifications count and loggedInUserName just for logged users	2020-05-19 17:10:53 +02:00
Raphaël Vinot	b8f0574f71	chg: Bump PyMISP	2020-05-18 12:38:25 +02:00
iglocska	c8e9fa1c76	chg: [roles] allow the creation site admin enabled roles without auth access	2020-05-06 14:53:11 +02:00
iglocska	f278407e91	chg: [VERSION] bump	2020-04-30 11:50:22 +02:00
iglocska	e9c00cb1b4	fix: [otp] pre-auth action list only expanded if otp is enabled	2020-04-29 15:55:22 +02:00
iglocska	6ec8391e46	Merge branch '5726' into 2.4	2020-04-29 15:50:01 +02:00
Andras Iklody	f30959f274	Merge pull request #5561 from JakubOnderka/is_rest_cache chg: [internal] Cache result of AppController::_isRest method	2020-04-28 15:46:24 +02:00
iglocska	03c866fe4e	fix: [registrations] Users can now register using the API without a valid key, affects #5783	2020-04-24 11:39:59 +02:00
iglocska	45e42ca84f	new: [privacy] filter added for the authkeys in the admin section to make giving trainings easier	2020-04-21 08:09:26 +02:00
Golbark	93ba84fd02	Hook into native authentication flow instead of beforefilter which prevents any after-auth bypass and rely on framework session management.	2020-04-20 12:24:47 +02:00
Golbark	3436bc6ae5	Merge branch '2.4' into email-otp-implementation Conflicts: app/Model/Server.php	2020-04-20 12:16:25 +02:00
iglocska	078bf123a1	chg: [ACL] added the feed data reload	2020-04-17 14:23:34 +02:00
iglocska	10ab82f830	new: [UI Helper] DataPathCollector helper added - helps the index factory fields retrieve data from the currently processed object based on a set of paths	2020-04-17 14:13:15 +02:00
iglocska	3fa5c3f370	fix: [database] added missing file	2020-04-14 15:17:15 +02:00
mokaddem	dd1be03597	Merge branch '2.4' of github.com:MISP/MISP into galaxy-cluster2.0	2020-04-09 14:26:48 +02:00
iglocska	4ebc0a7988	new: [inbox] system added - user self-registration is the first use-case - if the feature is enabled, users can unauthenticated send a registration request to MISP - request includes information on desired org and some privileges (sync / org admin / publisher) - requests land in the inbox, admins can inspect the registration requests - they can accept/discard them individually or en masse - users will be notified of their credentials automatically - quick user creation if the user asks for an org that doesn't exist yet	2020-04-07 13:21:01 +02:00
Golbark	d254d04365	Rely on session_id instead of user_id and address minor comments	2020-03-26 02:55:14 -07:00
Golbark	309bbc6814	new: usr: Implementation of email-based OTP	2020-03-25 07:45:09 -07:00
iglocska	d7e3674987	new: [audit] Added user monitoring - site admins can set the monitoring flag on a user if the feature is enabled on the instance - monitored users will have all requests logged along with POST bodies - keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation	2020-03-25 11:49:33 +01:00
mokaddem	04dcdebb1f	new: [galaxyCluster] Initial import of Galaxy2.0 codebase - WiP	2020-03-12 10:26:09 +01:00
Raphaël Vinot	8beec4e383	chg: Bump PyMISP	2020-03-10 14:31:31 +01:00
iglocska	f1faa7845f	fix: [dashboard] grid scope fix	2020-03-10 11:34:30 +01:00
mokaddem	431ccc6a04	chg: [response header] Added `X-XSS-Protection` header - As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)	2020-03-06 16:06:35 +01:00
iglocska	a40c227ca4	chg: [querystring] bumped	2020-03-02 23:14:55 +01:00
iglocska	0d4df7c98b	new: [Dashboard] system - Dashboard - modular similar to restSearch - build your own widgets - use a set of visualisation options (more coming!) - full access to internal functions for queries - auto discover core and 3rd party widgets - rearrange / configure widgets for each user individually - rearrange / resize widgets - settings can be configured by a site-admin on behalf of others - modules have a self-explain mode to guide users - caching mechanism for the modules / org - set homepage / user - various other fixes	2020-03-01 18:05:21 +01:00
iglocska	4bfcc3211b	new: [API] object level restSearch added still WiP	2020-02-29 08:57:32 +01:00
iglocska	08e0e9d16d	chg: [version] bump	2020-02-26 16:13:12 +01:00
iglocska	c310b30177	fix: [custom auth] correctly use HTTP_ as the default header namespace	2020-02-23 19:13:48 +01:00

1 2 3 4 5 ...

692 Commits (a61caa3a6a541e6f9761ae99c033c7457050bc0b)