MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
23,726 Commits
34 Branches
364 Tags
186 MiB
Commit Graph

517 Commits (a7905b40cededa7fb54e2c735b8196c9aae03f94)

Author SHA1 Message Date
iglocska dbffebe503
Merge branch '2.4' into CRUD 2020-11-11 11:19:23 +01:00
iglocska 5b256405c0
new: [advanced authkey] system 2020-11-11 10:46:38 +01:00
Jakub Onderka 5a4ba9cbc1 fix: [internal] Properly set login times for custom auth 2020-10-29 17:53:11 +01:00
iglocska 0b6da917d4
new: [advanced authkey] API key copy to the new system added to diagnostics 2020-10-20 08:35:21 +02:00
iglocska 62bbc95472
Merge branch '2.4' into CRUD 2020-10-20 02:01:21 +02:00
iglocska 617db7a337
chg: [user] admin view now loads advanced authkeys when appropriate 2020-10-20 01:48:51 +02:00
Jakub Onderka 461318de19 fix: [UI] Show warning if notification when creating new user could not be send 2020-10-13 12:28:20 +02:00
Golbark 3fb47d1cce chg: [internal] Using blocklist instead of blacklist 2020-09-01 16:27:36 +02:00
Jakub Onderka 3005ef8f6e fix: [otp] Allow to send encrypted OTP by mail 2020-08-20 19:58:24 +02:00
mokaddem fdade41e5e
chg: [users:acceptRegistration] Displays an error message if saved 
failed
Fix #6134
 2020-07-30 09:00:46 +02:00
mokaddem 6321e02e34
chg: [users:resgister] Use the trimmed data instead 2020-06-29 10:18:20 +02:00
mokaddem 89adde7e0b
fix: [user:registration] Report field validations to the user. Fix #6072 
and #6073
 2020-06-29 10:12:22 +02:00
mokaddem 41506cc7e7
fix: [users:change_pw] Return error message when trying to use the same 
password. Fix #5961
 2020-06-03 15:05:09 +02:00
Jakub Onderka 77e34ba41c
fix: [UI] Do not show Good-Bye when using custom logout 
Becuse without this patch, Good-Bye is show when user successfully log in.
 2020-05-21 17:10:28 +02:00
iglocska cd7d01306d
fix: [registration] acceptRegistration now accepts non User wrapped input 2020-05-06 21:40:04 +02:00
iglocska 9c52ed095a
fix: [users] accepting registration requests can throw a badly mapped exception 
- changed to 400
 2020-05-06 13:46:04 +02:00
iglocska d996b4093d
fix: [registrations] multi-delete fixed 2020-05-06 11:13:56 +02:00
iglocska f9cbe42aa8
new: [statistics] added contributing org count 2020-04-30 16:05:15 +02:00
iglocska 6ec8391e46
Merge branch '5726' into 2.4 2020-04-29 15:50:01 +02:00
iglocska a922bfa6f5
chg: [otp] monor changes 
- i18n
- function naming convention
 2020-04-29 15:49:15 +02:00
Jakub Onderka 79517ab430
fix: Correct flash message when sending e-mail 2020-04-25 23:06:10 +02:00
mokaddem e5c49e636c
chg: [users:registrations] Catch if no org_id was provided 2020-04-24 12:02:43 +02:00
mokaddem 6bff239740
chg: [user:registration] Added audit log 2020-04-22 10:04:07 +02:00
mokaddem 46a940acb8
chg: [user:acceptRegistration] Added fail message 2020-04-22 09:44:13 +02:00
mokaddem 56f69fb2ea
chg: [user:acceptRegistration] Default to instance's default role if 
role_id not passed
 2020-04-22 09:41:13 +02:00
mokaddem 47be5e75fe
chg: [user:regitration] Accept/Discard registration accept UUID as 
parameter
 2020-04-22 09:19:27 +02:00
mokaddem 86238031cf
fix: [user:registration] Default undefined message to empty string 2020-04-22 08:51:15 +02:00
Golbark 93ba84fd02 Hook into native authentication flow instead of beforefilter 
which prevents any after-auth bypass and rely on framework
session management.
 2020-04-20 12:24:47 +02:00
Golbark 3436bc6ae5 Merge branch '2.4' into email-otp-implementation 
Conflicts:
	app/Model/Server.php
 2020-04-20 12:16:25 +02:00
iglocska 48cbfd7536
new: [registration] fall back to the e-mail domain if no org info is provided 
- also, make the org info optional
 2020-04-07 22:46:35 +02:00
iglocska 70e1772bb0
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-04-07 22:21:37 +02:00
iglocska 78c1357593
fix: [user registration] reverted bug introduced in previous commit restricting the org choice to the suggested org if there was a match 2020-04-07 22:20:56 +02:00
mokaddem b3c114a13a
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-04-07 14:58:15 +02:00
mokaddem f7b5eb9628
fix: [user:email] Replaced query parameters by cake's named parameters. 
Hopefully fix #5745
 2020-04-07 14:56:26 +02:00
iglocska 1b65bfb843
fix: [user registration] minor bug fixes 2020-04-07 14:47:25 +02:00
iglocska 3241e95730
fix: [user registration] automatically convert selected orgs to local as described in the tool 2020-04-07 14:27:21 +02:00
iglocska ad4074c1d6
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-04-07 13:23:25 +02:00
iglocska 4ebc0a7988
new: [inbox] system added 
- user self-registration is the first use-case
- if the feature is enabled, users can unauthenticated send a registration request to MISP
  - request includes information on desired org and some privileges (sync / org admin / publisher)
- requests land in the inbox, admins can inspect the registration requests
  - they can accept/discard them individually or en masse
  - users will be notified of their credentials automatically
  - quick user creation if the user asks for an org that doesn't exist yet
 2020-04-07 13:21:01 +02:00
iglocska 83328f4e4c
chg: [publish alert] default added to user creation via the API 2020-03-29 08:56:55 +02:00
Golbark 9062881469 Add consistent i18n support for all strings. 2020-03-26 07:18:22 -07:00
Golbark d254d04365 Rely on session_id instead of user_id and address minor comments 2020-03-26 02:55:14 -07:00
Golbark 309bbc6814 new: usr: Implementation of email-based OTP 2020-03-25 07:45:09 -07:00
iglocska d7e3674987
new: [audit] Added user monitoring 
- site admins can set the monitoring flag on a user if the feature is enabled on the instance
- monitored users will have all requests logged along with POST bodies

- keep in mind this functionality is quite heavy and intrusive - so use it with care. The idea is that this allows us to track potentially malicious users during an investigation
 2020-03-25 11:49:33 +01:00
iglocska e5d775e9c8
fix: [message] user creation shouldn't include the "User notified of new credentials" part of the notification mesage if emailing is disabled 2020-03-19 11:08:09 +01:00
mokaddem f6c06d8e6b
fix: [user:login] Added support of `RFC822` for older PHP version 2020-03-11 10:48:52 +01:00
mokaddem 2ccf3dab76
fix: [user:resetAuthkey] Allows the function to be called 2020-03-09 09:02:06 +01:00
mokaddem 6fad7028b3
fix: [user:edit] Prevent password change with the current password 
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
 2020-03-06 16:19:12 +01:00
mokaddem 40560b8873
fix: [user:edit] Correctly re-insert form data wipping password 
information
 2020-03-06 16:17:28 +01:00
mokaddem fc0ed4c9a0
chg: [login] Display last time the user logged in 2020-03-06 16:12:40 +01:00
mokaddem de80d340cf
fix: [user:resetauthkey] Method can only be accessed via POST request 
- As reported by an external pentest company on behalf of the Centre for Cyber security Belgium (CCB)
 2020-03-06 15:58:08 +01:00
iglocska 612897d26f
chg: [clenaup] removed old dashboard 2020-03-02 23:05:08 +01:00
iglocska 0d4df7c98b
new: [Dashboard] system 
- Dashboard
  - modular similar to restSearch
  - build your own widgets
  - use a set of visualisation options (more coming!)
  - full access to internal functions for queries
  - auto discover core and 3rd party widgets
  - rearrange / configure widgets for each user individually
  - rearrange / resize widgets
  - settings can be configured by a site-admin on behalf of others
  - modules have a self-explain mode to guide users
  - caching mechanism for the modules / org

- set homepage / user
- various other fixes
 2020-03-01 18:05:21 +01:00
iglocska 8803f47a9e
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2020-02-10 14:33:39 +01:00
iglocska 934c828192
fix: [security] Further fixes to the bruteforce handling 
- resolved a potential failure of the subsystem when the MySQL and the webserver time settings are diverged
  - as reported by Dawid Czarnecki
- several tightenings of the checks to avoid potential foul play
 2020-02-10 11:41:54 +01:00
mokaddem 6e66256f7a
Merge branch '2.4' of github.com:MISP/MISP into pr-5210 2020-02-10 11:09:14 +01:00
Andras Iklody 91a045c13f
Merge pull request #5208 from JakubOnderka/patch-34 
Simplify user profile logging
 2019-12-11 19:28:32 +01:00
iglocska ff333ccb85
fix: [internal] fixed the hacky removal of passwords on returned user objects for /users/edit 
- this commit gets 1*
 2019-11-29 16:12:33 +01:00
iglocska ca484ae1dc
fix: [API] /users/edit modifications 
- remove sanitised password when directly posting back a user object
- more graceful error handling if something goes critically wrong
 2019-11-29 12:40:18 +01:00
iglocska be4034d7a2
fix: [user API] users/edit now avoids having to set confirm_password when setting a password via the API 2019-11-29 12:16:27 +01:00
iglocska e6e28dfc27
fix: [API] Don't strip empty usersettings from users/view 2019-11-26 19:34:37 +01:00
iglocska 0c850c7cdb
fix: [API] users/edit fixed 2019-11-26 19:25:30 +01:00
iglocska dc1f9fcad9
fix: [internal] fixed weird user massage code 
- I have no idea what I was thinking there...
 2019-11-26 19:19:58 +01:00
iglocska 26459f1b63
Merge branch '2.4' of github.com:MISP/MISP into 2.4 2019-11-26 19:04:34 +01:00
iglocska 958731920c
chg: [API] users/edit refactor 
- load only what is needed
- handle API requests in a cleaner way
 2019-11-26 19:03:53 +01:00
Andras Iklody 76656e8ed4
Merge pull request #5404 from MISP/feature-OrgsStats 
Added more Organisation statistics
 2019-11-26 13:00:13 +01:00
iglocska 8438db4565
fix: [user view] server issues fixed 2019-11-20 16:17:18 +01:00
mokaddem 806f443764
new: [statistics] Added organisation activity over time 2019-11-16 15:40:02 -05:00
mokaddem a8b5da4be2
chg: [statistics] Added Attribute count 2019-11-16 13:12:37 -05:00
Jakub Onderka 688bab2778 chg: [internal] Simplify UserController::admin_edit 2019-10-11 20:35:27 +02:00
iglocska b44063e7d1
fix: [internal] missing org object for users/view 2019-10-10 15:13:34 +02:00
iglocska 15b10bbcf7
new: [user settings] Added restrictions for certain settings 
- based on role permissions
- enforce the checks on set/delete
- add it to the UI elements
- /users/view /admin/users/view now include the user settings in a simplified format
 2019-10-10 11:58:26 +02:00
mokaddem 8c4799fb99
chg: [user:me] Added `Role` object in the return value for the rest context 2019-10-07 16:35:22 +02:00
Jakub Onderka a9f6af9fcb chg: [user] GPG key fetching by server 2019-09-23 22:09:02 +02:00
Andras Iklody 6b42f089cd
Merge pull request #5129 from JakubOnderka/array-copy-remove 
chg: [users] Remove unused method UsersController::arrayCopy
 2019-09-10 11:32:30 +02:00
Jakub Onderka 1cd2ff5ca6 chg: [users] Remove unused method UsersController::arrayCopy 2019-09-09 23:37:37 +02:00
Jakub Onderka 50a0f564c6
fix: [audit] Correct title in audit log when admin edit user 2019-09-09 19:34:38 +02:00
iglocska 75acd63c46
fix: [security] Fix to a vulnerability related to the server index 
- along with various support tools
- more information coming soon
 2019-09-09 13:00:21 +02:00
iglocska 5916de9d5e
fix: [API] Fixed output of the attribute histogram 
- no more STIX-ish barf inducing numeric string keys for dictionaries
 2019-08-27 10:34:29 +02:00
iglocska 96475f59f6
fix: [admin] Invalid domain restriction check for site admins, fixes #5035 2019-08-22 10:41:30 +02:00
iglocska ed1e55b76b
fix: [API] Fixed an edge case when the attribute historgram throws a notice error 
- no idea how to reproduce it, the organisation referenced in an event orgc_id not existing is a pre-condition

- fixes #4880
 2019-07-29 16:28:42 +02:00
iglocska 64fafa1913
fix: [api fix] Deletes broken due to invalid boolean 
- /facepalm
 2019-07-10 13:55:33 +02:00
iglocska ed401d88be
fix: [API] delete http requests properly accepted by some /delete endpoints 2019-07-10 11:57:21 +02:00
mokaddem f850abcdaa fix: [galaxyMatrix] Handle case if deprecated galaxy does not exists 2019-06-12 14:12:06 +02:00
mokaddem 52ae153c0e Merge branch '2.4' of github.com:MISP/MISP into galaxyMatrixImprovements 2019-06-11 15:56:10 +02:00
mokaddem 11a4bdb959 chg: [restSearch:attack] Only expose attack return format to the `event` 
scope
 2019-06-11 15:50:51 +02:00
mokaddem acef3a0168 chg: [galaxyMatrix:stats] Only take into account occurences of galaxy 
once per event
 2019-06-11 15:09:02 +02:00
mokaddem fed5556976 fix: [galaxyMatrix:export] Removed multiple bugs providing inconsistent 
result
 2019-06-11 14:13:17 +02:00
iglocska 36b43f1306
fix: [security] Org admins could reset credentials for site admins 
- org admins have the inherent ability to reset passwords for all of their org's users
- this however could be abused if for some reason the host org of an instance would create org admins
  - the org admin could set a password manually for the site admin or simply use the API key of the site admin to impersonate them
- the potential for abuse is very circumstancial as it requires the host org to create lower privilege org admins instead of the usual site admins
- only org admins of the same organisation as the site admin could abuse this

- as reported by Raymond Schippers
 2019-06-11 11:05:34 +02:00
mokaddem 4fafb1541c chg: [galaxyMatrix] Transformed query into cakephp model query 2019-05-15 11:55:22 +02:00
mokaddem 0c69e739cc new: [statistics:galaxyMatrix] Added filtering capabilities 2019-05-15 11:12:09 +02:00
mokaddem 4fbe857f90 chg: [galaxyMatrix] Added sorting by score. Fix #4608 2019-05-13 15:07:38 +02:00
mokaddem d3013a9252 fix: [stats:galaxyMatrix] No longer trim the end of the cluster name 2019-04-23 08:49:04 +02:00
iglocska 7a1dbe4c1f fix: [API] role_id is not required when POSTing users if a default role is set on the instance 2019-04-04 13:42:06 +02:00
4ekin c32d3bce32 fix: Fixed i18n strings in Controllers 2019-04-02 16:57:41 +03:00
mokaddem d60095112f Merge branch '2.4' of github.com:MISP/MISP into galaxyMatrixStat 2019-03-15 11:18:34 +01:00
iglocska 7b34e8cacb fix: [API] resetting the authkey didn't respond with the new key before, making automation difficult. 2019-03-12 22:03:34 +01:00
mokaddem 04798bf7e4 new: [galaxyMatrix] Added possibility to pick a galaxy to view it's 
statistic.
 2019-03-12 15:36:00 +01:00
iglocska 66ad17a1ee new: [API] exposed change_pw function to the API, fixes #4256 2019-03-02 23:47:13 +01:00
mokaddem 1ed609872c chg: simplified condition 2 2019-02-15 15:04:07 +01:00
mokaddem 7a2010fb0e chg: [galaxy_matrix] TEMPORARY - Merge scores of both deprecated and mitre-attack 
galaxy namespace for the matrix view.

This commit aims to still have correct scores in the galaxy_matrix until the fixMitreTags functions is not live and running
 2019-02-15 14:41:55 +01:00
mokaddem 12ed3457e8 chg: [galaxy_matrix] cleanup in variable names to be more generic 2019-02-15 09:24:52 +01:00
mokaddem a5653e86ea new: [matrix] Replaced the Att&ck matrix by a generic matrix viewer, 
allowing custom matrix to be displayed.
Also added the external id to the chosen input.
 2019-02-12 13:59:51 +01:00
mokaddem 431529c81c chg: [attackMatrix] UI: improved color scale - WiP 2019-02-11 17:54:29 +01:00
iglocska 9afd0d8600 fix: [redirect] Correctly redirect to the requested URL after a login, fixes #4005, fixes #1301 2019-01-28 17:02:04 +01:00
iglocska 2d0259ce13 fix: [CS] coding standards script re-run 2018-11-23 14:11:33 +01:00
mokaddem 2152493dd0 chg: [users/emails] Better comments 2018-11-09 13:42:28 +01:00
mokaddem 6bb31fbb1d chg: [users/email] Changed behavior of sending mail to avoid code duplication 
If an additional parameter is passed to the url, it will only shows the result of submitting the form without the submission
 2018-11-09 13:38:52 +01:00
mokaddem 296128fe54 fix: [users/emails] submission fix + cleaned code + comments 2018-11-09 12:12:06 +01:00
mokaddem 651861d1d8 new: [users/mails] Added possibility to send a mail to all users of the same organisation 2018-11-09 11:48:39 +01:00
mokaddem 9b44050e1c new: [users/mails] add confirmation popup before sending mails 2018-11-09 11:23:32 +01:00
iglocska 333cafca76 chg: [statistics] Show % of users with pgp keys 2018-10-30 14:58:49 +01:00
iglocska 3bdcca617e new: [statistics] Added local org and user/org counts 2018-10-30 14:51:27 +01:00
iglocska c54538766e Merge branch '2.4' into feature/api_rework 2018-08-21 13:39:34 +02:00
iglocska 1eded5f3c7 fix: [statistics] Solve the issue with the unfiltered total counters in the user and org statistics 2018-08-21 13:37:47 +02:00
iglocska 12ac58f0e1 fix: [statistics] fixed an issue where the org statistics didn't correctly apply the local filters 
- both local and external just showed the sum totals instead of the individual pools
 2018-08-21 13:34:59 +02:00
iglocska f675fb8b29 Merge branch '2.4' into feature/api_rework 2018-08-17 14:49:09 +02:00
Sami Mokaddem 212c11290d fix: [usersStat] allow fetching json of statistics/users 2018-08-13 11:39:25 +00:00
Anthony Vaccaro 1b68005bbe Add a permission check to the change password page. 
The 'MISP.disableUserSelfManagement' config variable is checked
when rendering the link to the change password page, but is not checked
when rendering the page itself. This could lead to unauthorised
password changes by users with existing accounts on the MISP
instance.
 2018-08-13 15:55:51 +10:00
iglocska 0694263e15 Merge branch '2.4' into feature/api_rework 2018-08-09 16:51:20 +02:00
iglocska 4fa5834cbc new: [PGP] Added fingerprint to /users/verifyGPG 2018-08-06 17:00:15 +02:00
iglocska 34ba484b06 chg: [cleanup] Removed todos from userscontroller that have become irrelevant 2018-08-04 22:48:19 +02:00
iglocska a81894f14c chg: [CS] Changed to PSR-2 
- to make contributions easier, adopted PSR-2
- used php-cs-fixer to rework the style
- *sniff sniff* Goodbye tab indentation
 2018-07-19 11:48:22 +02:00
iglocska 71bb60a702 new: [Statistics] Added a new tab to the statistics showing the user/organisation additions over the past month/year 2018-07-13 12:08:29 +02:00
iglocska 6ffacc1e23 fix: [security] Brute force protection can be bypased with a PUT request 
- fixes an issue where brute forcing the login would work by using PUT requests
- as reported by Silver Saks from CCDCOE
 2018-06-21 15:48:32 +02:00
iglocska 87c152d9f3 fix: Use common code-path for user init via the login page and the CLI 
- also, be consistent with initial settings
 2018-06-20 07:32:52 +02:00
Sami Mokaddem e3988c73ad new: [attackMatrix] Also consider attack galaxy at event level in the 
heatmap
fix: [attackMatrix] Typo in ATT&CK + division by 0 in gradiendTool
 2018-06-18 14:51:29 +00:00
Sami Mokaddem 3a27009775 Merge remote-tracking branch 'upstream/2.4' into attack 2018-06-18 12:18:31 +00:00
Sami Mokaddem 929946f055 new: [attackMatrix] added instance UUID in rest response 2018-06-18 12:04:38 +00:00
Sami Mokaddem 8d145086f0 new: [attackMatrix] statistic about attack tags used in the instance 
chg: [attackMatrix] moved functions in to model and matrix view into elements
 2018-06-18 09:58:20 +00:00
iglocska 48feb7b7d2 new: [functionality] Kick user out if the session is expired instead of only doing it on a page load 2018-06-12 16:09:50 +02:00
iglocska 68b8266584 new: New flash message system, fixes #3252 
- 3 types of flash messages (success, error, warning)
- uses bootstrap's own classes/structure
 2018-05-16 19:32:38 +02:00
iglocska b325a5d2a4 Merge branch '2.4' of github.com:MISP/MISP into 2.4 2018-05-08 07:52:32 +02:00
Sami Mokaddem 680311f68f chg: [Controllers] sets the ajax variable globally 
As well as removing useless set in controllers and accessing it instead
of passing through the request.
 2018-05-07 14:44:59 +00:00
iglocska 2f8686aec3 fix: Don't redirect users to terms page if no terms page is set 2018-05-06 22:42:21 +02:00
iglocska 41fdf6da8b new: Allow further role settings 
- exclude a role from non site admin assignment
- set max memory usage and execution time / role
 2018-03-24 21:43:46 +01:00
iglocska a596d5800f fix: Run the db update before trying to add users/orgs 2018-02-02 19:52:43 +01:00
iglocska 7772b9c43e new: Disable the viewing of a full organisation list by normal users 
- Only site admins and sharing group editors can see organisation lists
  - this includes the org index and various statistics
- Keep in mind: Sharing group editors CAN see the full organisation list - otherwise they wouldn't be able to create sharing groups.
- Also, users CAN enumerate organisations that have created ANY data on the instance by looking at the given data
  - this includes events, proposals, discussion entries, etc
 2018-01-13 16:55:01 +01:00
iglocska 4af2136645 fix: Sanitise the list of fields fetched for the admin user index 
- as reported by @deralexxx
 2018-01-12 11:34:29 +01:00
iglocska 13d4a1d197 chg: Added sane default org_id to users/add API 
- takes current user's org_id as the default
 2017-12-14 16:32:08 +01:00
iglocska 05a89f5e87 Merge branch '2.4' into feature/tag_filter_rework 2017-11-30 22:28:35 +01:00
iglocska c9b4f8c6ab fix: Added db changes needed for the user domain restrictions along with restricting the user self edit action 2017-11-28 11:52:01 +01:00
iglocska 69423a8bcf new: Add restrictions for e-mail addresses to certain domains 
TODO: tie it into the user edit action
 2017-11-27 10:22:37 +01:00
iglocska 7d5890b2fc fix: Leaking of hashed passwords in the audit logs fixed 
- Scope was limited due to the audit log access restrictions to site/org admins
 2017-11-24 11:55:16 +01:00
iglocska 8794af9118 fix: Expose /users/view/me to the API, fixes #2679 2017-11-23 15:44:38 +01:00
Milan Pikula 3626f3ce67 change behavior of login page to return to original page after authentication 2017-11-22 17:15:51 +01:00
iglocska 67d9cd6a6c new: Include user action in zmq 2017-11-16 12:15:39 +01:00
iglocska 943f18d6cc new: push the action for user updates/creations/logins along with the user object to the ZMQ channel 2017-11-16 08:58:53 +01:00
iglocska 3e5b1179c5 fix: Histogram rework 
- removed junk debug
- fixed group by issue
- better performance
 2017-11-08 11:58:19 +01:00
iglocska 68f4833893 new: First version of the zmq reimplementation 2017-10-27 09:10:46 +02:00
iglocska cfcaf0d410 chg: Made the current password confirmation requirement for any user profile edits optional 
- default setting is having it off
- incredibly frustrating feature is now only enabled on demand
 2017-08-18 09:05:20 +02:00