cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity
987 Commits
12 Branches
30 Tags
21 MiB
Commit Graph

987 Commits (8a6f0ed7512cf380781877c04f1856a913593b8f)

Author SHA1 Message Date
iglocska 8a6f0ed751
fix: [settings] invalid setting name fixed 2022-02-28 10:23:23 +01:00
iglocska 5734d74a17
Merge branch 'develop' into main 2022-02-28 08:27:54 +01:00
iglocska 1e6b6a5abc
fix: [settings] added test for keycloak enabled 
- always require one auth method to be enabled
 2022-02-28 08:27:22 +01:00
iglocska 498efcf671
Merge branch 'develop' into main 2022-02-28 08:21:11 +01:00
iglocska 9d04533e14
chg: [users] restrict org admins from creating other org admins 
- temporary solution for a single community, make this optional in the future
 2022-02-25 10:20:25 +01:00
iglocska 4902a3f8a6
new: [password auth] added setting to disable password auth 
- not needed in some cases for keycloak enabled instances
 2022-02-25 00:33:00 +01:00
iglocska 79459838eb
chg: [user add] if no password was set, set a random one 
- can't be used so far as we have no emailing in place
- it allows user creation when username/password mode is disabled
 2022-02-25 00:31:19 +01:00
iglocska 6f6c10670e
new: [CRUD] added beforeMarshal hook 2022-02-25 00:30:50 +01:00
iglocska 678ad0fe8e
chg: [templates] for user creation now have a minimalist individiual creation included 2022-02-24 13:48:10 +01:00
iglocska 304586ff19
chg: [user] view add link to user's individual 2022-02-24 13:47:49 +01:00
iglocska 3790244ce4
new: [individuals] new finder method to find by alignment 2022-02-24 13:47:08 +01:00
iglocska 8fdb8668c8
fix: [alignments] saving of the alignment was omitted before 2022-02-24 13:46:35 +01:00
iglocska 828946a97f
new: [users] several changes 
- make usernames immutable
- restrict user creation to aligned individuals (org admin only)
- optionally create individual while creating a user
 2022-02-24 13:45:10 +01:00
iglocska b67c221476
fix: [copy pasta fail] left previous assignment in that is now superseeded by the if branch above 2022-02-20 15:07:58 +01:00
iglocska 9245b2d720
fix: [genericTemplates] delete template can be invoked without an ID 2022-02-20 15:05:03 +01:00
iglocska 3af0b0afc5
fix: [misp connector] validations with notEmpty() deprecated, replaced with notEmptyString() 2022-02-20 15:02:07 +01:00
iglocska e2bb58d3c7
fix: [flood protection] default to 127.0.0.1 if no remote_addr is set as we're dealing with a local CLI script 2022-02-20 15:00:15 +01:00
iglocska c005cb7f66
fix: [error code] adding an authkey for a user you are not authorised to modify resulted in a 404 instead of a 405 2022-02-20 14:56:21 +01:00
iglocska 2ef2dbbe62
fix: [tests] changed assertion for authkey failure on insufficient privilege from 404 to 405 2022-02-20 14:48:29 +01:00
iglocska 495c4ee93c
fix: [security] XSS in the generic action template 
- a previously assumed internal url can have user input appended via the MISP local tool connector
- requires a compromised connected MISP instance where a malicious administrator modifies the UUIDs of cerebrate relevant objects to JS payloads

- as reported by Dawid Czarcnecki of Zigrin Security
 2022-02-20 12:07:06 +01:00
iglocska b046990153
fix: [flood protection] default to REMOTE_ADDR if the selected default logging IP source header is not populated 2022-02-20 11:49:57 +01:00
iglocska 3745739158
chg: [flood protection] Changed the description of the setting based on the used IP source 
- added a warning about the IP source setting affecting the efficacy of the flood protection in regards to an attacker being potentially able to spoof their IP
- Warn the admin to make sure that the reverse proxy used (the main reason to use the alternate headers in the first place) needs to be configured to correctly overwrite the header

- as reported by Dawid Czarnecki of Zigrin Security
 2022-02-19 01:42:24 +01:00
iglocska 283299bf36
fix: [security] flood protection control enabled by default 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-19 01:34:07 +01:00
iglocska 6e67a5b239
fix: [security] Sharing group creation on behalf of other organisation fixed 
- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created

- as reported by Dawid Czarnecki of Zigrin Security
 2022-02-19 01:21:29 +01:00
iglocska b41b0dd712
fix: [security] privilege escalation via user edit fixed 
- org admins could circumvent the role restrictions and elevate themselves to a site admin

- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-19 01:02:49 +01:00
iglocska 2da9d8f7d2
new: [keycloak] log enrollment outcome in the audit log 2022-02-18 11:47:33 +01:00
iglocska f24e7bc4c2
Merge branch 'develop' into main 2022-02-08 11:06:51 +01:00
Sami Mokaddem ad3e89199b
chg: [settingTable] Added value validation before saving the setting 2022-02-07 12:01:07 +01:00
Sami Mokaddem e13b4e7bc5
fix: [settings:settingField] Enforce sanitization of input fields 
- As reported by Dawid Czarnecki from Zigrin Security
 2022-02-07 11:43:09 +01:00
Sami Mokaddem 336dfb091c
chg: [settingTable] Gracefully handle if file not writeable 2022-02-07 11:11:25 +01:00
Sami Mokaddem 14ec995c2b
fix: [userSettings] Perform URI validation for bookmarks 
- As reported by Dawid Czarnecki from Zigrin Security
 2022-02-07 10:48:55 +01:00
Sami Mokaddem dfb8d73a92
fix: [userSettings] Renamed template to match the controller endpoint 2022-02-07 10:37:03 +01:00
iglocska bc733e6704
Merge branch 'develop' into main 2022-02-07 02:15:15 +01:00
iglocska c7b226f844
chg: [flood protection] added cleanup 2022-02-07 02:14:53 +01:00
iglocska d45a4dc499
new: [registration] added optional registration flood protection 
- As reported by Dawid Czarnecki from Zigrin Security
 2022-02-07 02:03:41 +01:00
iglocska e6643365d2
new: [flood protection] behaviour added 
simple expiration system to allow flood protections to be added to any functionality
 2022-02-07 02:01:59 +01:00
iglocska d1cdbda972
fix: [migrations] initial schema migration fixed for upgrades 
- check if a table has already been created and block the execution for instances that get updated from before the initial schema was retroactively added
 2022-02-07 02:00:35 +01:00
iglocska 6a2b764b97
new: [flood protection] schema added 2022-02-07 01:59:58 +01:00
iglocska a9c1619bda
new: [Exception] 429 added 2022-02-07 01:59:33 +01:00
iglocska 3b21a746b9
Merge branch 'main' into develop 2022-02-04 01:02:42 +01:00
iglocska 88f3cc7944
fix: [security] user settings allow enumeration of usernames 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:45:42 +01:00
iglocska a263234917
fix: [security] open endpoints should only be open when enabled 
- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:36:31 +01:00
iglocska 15190b930e
fix: [security] Sharing group ACL fixes 
- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg

- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-04 00:16:24 +01:00
iglocska 4a7183d63b
Merge branch 'main' of github.com:cerebrate-project/cerebrate into main 2022-02-03 23:56:39 +01:00
iglocska e60d97c214
fix: [security] genericForm reflected XSS in form descriptions for user controlled descriptions 
- accessible via the MISP local tool setting change
- sanitise the description

- as reported by Dawid Czarnecki from Zigrin Security
 2022-02-03 23:56:23 +01:00
Alexandre Dulaunoy a7efe1faf9
Update INSTALL.md 2022-01-31 10:12:01 +01:00
iglocska 4cac47b631
Merge branch 'main' into develop 2022-01-31 09:36:15 +01:00
iglocska 5fbd53883f
fix: [sync] created field rules added 
- should stop issues of SG/Individual downloads from remote brood
 2022-01-31 09:35:33 +01:00
iglocska a74b84caf5
Merge branch 'main' into develop 2022-01-28 00:51:47 +01:00
iglocska 8b6fc78695
fix: [generic fields] org field URL missing slash fixed 2022-01-28 00:51:09 +01:00