Sami Mokaddem
7ea5acb167
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable
2022-02-21 11:17:05 +01:00
iglocska
b67c221476
fix: [copy pasta fail] left previous assignment in that is now superseeded by the if branch above
2022-02-20 15:07:58 +01:00
iglocska
9245b2d720
fix: [genericTemplates] delete template can be invoked without an ID
2022-02-20 15:05:03 +01:00
iglocska
3af0b0afc5
fix: [misp connector] validations with notEmpty() deprecated, replaced with notEmptyString()
2022-02-20 15:02:07 +01:00
iglocska
e2bb58d3c7
fix: [flood protection] default to 127.0.0.1 if no remote_addr is set as we're dealing with a local CLI script
2022-02-20 15:00:15 +01:00
iglocska
c005cb7f66
fix: [error code] adding an authkey for a user you are not authorised to modify resulted in a 404 instead of a 405
2022-02-20 14:56:21 +01:00
iglocska
2ef2dbbe62
fix: [tests] changed assertion for authkey failure on insufficient privilege from 404 to 405
2022-02-20 14:48:29 +01:00
iglocska
495c4ee93c
fix: [security] XSS in the generic action template
...
- a previously assumed internal url can have user input appended via the MISP local tool connector
- requires a compromised connected MISP instance where a malicious administrator modifies the UUIDs of cerebrate relevant objects to JS payloads
- as reported by Dawid Czarcnecki of Zigrin Security
2022-02-20 12:07:06 +01:00
iglocska
b046990153
fix: [flood protection] default to REMOTE_ADDR if the selected default logging IP source header is not populated
2022-02-20 11:49:57 +01:00
iglocska
3745739158
chg: [flood protection] Changed the description of the setting based on the used IP source
...
- added a warning about the IP source setting affecting the efficacy of the flood protection in regards to an attacker being potentially able to spoof their IP
- Warn the admin to make sure that the reverse proxy used (the main reason to use the alternate headers in the first place) needs to be configured to correctly overwrite the header
- as reported by Dawid Czarnecki of Zigrin Security
2022-02-19 01:42:24 +01:00
iglocska
283299bf36
fix: [security] flood protection control enabled by default
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:34:07 +01:00
iglocska
6e67a5b239
fix: [security] Sharing group creation on behalf of other organisation fixed
...
- org admin could create sharing groups on behalf of other organisations
- can lead to misleading sharing groups being created
- as reported by Dawid Czarnecki of Zigrin Security
2022-02-19 01:21:29 +01:00
iglocska
b41b0dd712
fix: [security] privilege escalation via user edit fixed
...
- org admins could circumvent the role restrictions and elevate themselves to a site admin
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-19 01:02:49 +01:00
iglocska
2da9d8f7d2
new: [keycloak] log enrollment outcome in the audit log
2022-02-18 11:47:33 +01:00
Sami Mokaddem
20907a45da
chg: [organisation] Removed useless class variable
2022-02-09 15:41:58 +01:00
Sami Mokaddem
d8807cce92
chg: [behavior:meta-fields] Renamed finder function
2022-02-09 15:18:24 +01:00
Sami Mokaddem
28aabe3b08
chg: [libraries:meta-template] Bumped version
2022-02-09 15:12:32 +01:00
Sami Mokaddem
ec37a637f8
chg: [header] moved inline style in css file
2022-02-09 09:51:21 +01:00
Sami Mokaddem
e67c711935
chg: [notifications] Slightly improved UI
2022-02-09 09:30:59 +01:00
Sami Mokaddem
a77e29fa38
new: [layout:sidebar] Notifications in the sidebar
2022-02-08 17:58:30 +01:00
Sami Mokaddem
d1cf408163
new: [helpers:bootstrap] Added notification bubble
2022-02-08 17:57:20 +01:00
iglocska
f24e7bc4c2
Merge branch 'develop' into main
2022-02-08 11:06:51 +01:00
Sami Mokaddem
62ca877f0b
Merge branch 'develop' of github.com:cerebrate-project/cerebrate into develop-unstable
2022-02-08 08:42:25 +01:00
Sami Mokaddem
b01d75aaa6
fix: [helpers:bootstrap] Support of cell variant in table
2022-02-07 13:25:33 +01:00
Sami Mokaddem
ad3e89199b
chg: [settingTable] Added value validation before saving the setting
2022-02-07 12:01:07 +01:00
Sami Mokaddem
e13b4e7bc5
fix: [settings:settingField] Enforce sanitization of input fields
...
- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 11:43:09 +01:00
Sami Mokaddem
336dfb091c
chg: [settingTable] Gracefully handle if file not writeable
2022-02-07 11:11:25 +01:00
Sami Mokaddem
14ec995c2b
fix: [userSettings] Perform URI validation for bookmarks
...
- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 10:48:55 +01:00
Sami Mokaddem
dfb8d73a92
fix: [userSettings] Renamed template to match the controller endpoint
2022-02-07 10:37:03 +01:00
iglocska
bc733e6704
Merge branch 'develop' into main
2022-02-07 02:15:15 +01:00
iglocska
c7b226f844
chg: [flood protection] added cleanup
2022-02-07 02:14:53 +01:00
iglocska
d45a4dc499
new: [registration] added optional registration flood protection
...
- As reported by Dawid Czarnecki from Zigrin Security
2022-02-07 02:03:41 +01:00
iglocska
e6643365d2
new: [flood protection] behaviour added
...
simple expiration system to allow flood protections to be added to any functionality
2022-02-07 02:01:59 +01:00
iglocska
d1cdbda972
fix: [migrations] initial schema migration fixed for upgrades
...
- check if a table has already been created and block the execution for instances that get updated from before the initial schema was retroactively added
2022-02-07 02:00:35 +01:00
iglocska
6a2b764b97
new: [flood protection] schema added
2022-02-07 01:59:58 +01:00
iglocska
a9c1619bda
new: [Exception] 429 added
2022-02-07 01:59:33 +01:00
iglocska
3b21a746b9
Merge branch 'main' into develop
2022-02-04 01:02:42 +01:00
iglocska
88f3cc7944
fix: [security] user settings allow enumeration of usernames
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:45:42 +01:00
iglocska
a263234917
fix: [security] open endpoints should only be open when enabled
...
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:36:31 +01:00
iglocska
15190b930e
fix: [security] Sharing group ACL fixes
...
- added indirect object reference protection
- added correct ACL functionalities to delete, addOrg, removeOrg
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-04 00:16:24 +01:00
iglocska
4a7183d63b
Merge branch 'main' of github.com:cerebrate-project/cerebrate into main
2022-02-03 23:56:39 +01:00
iglocska
e60d97c214
fix: [security] genericForm reflected XSS in form descriptions for user controlled descriptions
...
- accessible via the MISP local tool setting change
- sanitise the description
- as reported by Dawid Czarnecki from Zigrin Security
2022-02-03 23:56:23 +01:00
Alexandre Dulaunoy
a7efe1faf9
Update INSTALL.md
2022-01-31 10:12:01 +01:00
iglocska
4cac47b631
Merge branch 'main' into develop
2022-01-31 09:36:15 +01:00
iglocska
5fbd53883f
fix: [sync] created field rules added
...
- should stop issues of SG/Individual downloads from remote brood
2022-01-31 09:35:33 +01:00
iglocska
a74b84caf5
Merge branch 'main' into develop
2022-01-28 00:51:47 +01:00
iglocska
8b6fc78695
fix: [generic fields] org field URL missing slash fixed
2022-01-28 00:51:09 +01:00
iglocska
4563a397bb
Merge branch 'develop' into main
2022-01-27 22:12:57 +01:00
iglocska
788feab011
chg: [Version] bump
2022-01-27 22:12:35 +01:00
iglocska
9dd488e766
fix: [login] hide keycloak login if keycloak login is disabled
2022-01-27 22:11:51 +01:00