[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add file upload extension allow list, Force authorization to download file #6564

Merged
merged 5 commits into from
Jul 20, 2022
Merged

Add file upload extension allow list, Force authorization to download file #6564

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
17921c3
Add file upload extension allow list, Force authorization to download…
Maffooch Jul 14, 2022
2c4b09c
Fix syntax error
Maffooch Jul 14, 2022
fe72aa7
Add more file extensions as default
Maffooch Jul 15, 2022
1fef504
Disable access from the media url as well
Maffooch Jul 15, 2022
d957c4e
Fix Flake8
Maffooch Jul 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Disable access from the media url as well
  • Loading branch information
@Maffooch
Maffooch committed Jul 15, 2022
commit 1fef5042c00603f8940ae8e661118bebf3781655
4 changes: 2 additions & 2 deletions dojo/settings/settings.dist.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,8 +232,8 @@
# Feature toggle for new authorization for configurations
DD_FEATURE_CONFIGURATION_AUTHORIZATION=(bool, True),
# List of acceptable file types that can be uploaded to a given object via arbitrary file upload
DD_FILE_UPLOAD_TYPES=(list, ['.txt', '.pdf', '.json', '.xml', '.yml', '.png', '.jpeg',
'.csv', '.html', '.sarif', '.xslx', '.html', '.js', '.nessus', '.zip']),
DD_FILE_UPLOAD_TYPES=(list, ['.txt', '.pdf', '.json', '.xml', '.csv', '.yml', '.png', '.jpeg',
'.html', '.sarif', '.xslx', '.doc', '.html', '.js', '.nessus', '.zip']),
)


Expand Down
5 changes: 1 addition & 4 deletions dojo/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@
url(r'^robots.txt', lambda x: HttpResponse("User-Agent: *\nDisallow: /", content_type="text/plain"), name="robots_file"),
url(r'^manage_files/(?P<oid>\d+)/(?P<obj_type>\w+)$', views.manage_files, name='manage_files'),
url(r'^access_file/(?P<fid>\d+)/(?P<oid>\d+)/(?P<obj_type>\w+)$', views.access_file, name='access_file'),

url(r'^%s/(?P<path>.*)$' % settings.MEDIA_URL.strip('/'), views.protected_serve, {'document_root': settings.MEDIA_ROOT})
]

urlpatterns += survey_urls
Expand All @@ -201,9 +201,6 @@
# django admin
urlpatterns += [url(r'^%sadmin/' % get_system_setting('url_prefix'), admin.site.urls)]

if settings.DEBUG:
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

# sometimes urlpatterns needed be added from local_settings.py to avoid having to modify core defect dojo files
if hasattr(settings, 'EXTRA_URL_PATTERNS'):
urlpatterns += settings.EXTRA_URL_PATTERNS
29 changes: 25 additions & 4 deletions dojo/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@
from django.http import Http404, HttpResponseRedirect, FileResponse
from django.conf import settings
from django.urls import reverse
from django.core.exceptions import PermissionDenied
from django.contrib.auth.decorators import login_required
from django.views.static import serve
from django.shortcuts import render, get_object_or_404
from dojo.models import Engagement, Test, Finding, Endpoint, Product, FileUpload
from dojo.filters import LogEntryFilter
Expand Down Expand Up @@ -174,22 +177,40 @@ def manage_files(request, oid, obj_type):
})


# Serve the file only after verifying the user is supposed to see the file
@login_required
def protected_serve(request, path, document_root=None, show_indexes=False):
file = FileUpload.objects.get(file=path)
if not file:
raise Http404()
object_set = list(file.engagement_set.all()) + list(file.test_set.all()) + list(file.finding_set.all())
# Should only one item (but not sure what type) in the list, so O(n=1)
for obj in object_set:
if isinstance(obj, Engagement):
user_has_permission_or_403(request.user, obj, Permissions.Engagement_View)
elif isinstance(obj, Test):
user_has_permission_or_403(request.user, obj, Permissions.Test_View)
elif isinstance(obj, Finding):
user_has_permission_or_403(request.user, obj, Permissions.Finding_View)
return serve(request, path, document_root, show_indexes)


def access_file(request, fid, oid, obj_type, url=False):
if obj_type == 'Engagement':
obj = get_object_or_404(Engagement, pk=oid)
user_has_permission_or_403(request.user, obj, Permissions.Engagement_Edit)
user_has_permission_or_403(request.user, obj, Permissions.Engagement_View)
elif obj_type == 'Test':
obj = get_object_or_404(Test, pk=oid)
user_has_permission_or_403(request.user, obj, Permissions.Test_Edit)
user_has_permission_or_403(request.user, obj, Permissions.Test_View)
elif obj_type == 'Finding':
obj = get_object_or_404(Finding, pk=oid)
user_has_permission_or_403(request.user, obj, Permissions.Finding_Edit)
user_has_permission_or_403(request.user, obj, Permissions.Finding_View)
else:
raise Http404()
# If reaching this far, user must have permission to get file
file = get_object_or_404(FileUpload, pk=fid)
redirect_url = '{media_root}/{file_name}'.format(
media_root=settings.MEDIA_ROOT,
file_name=file.file.url.lstrip(settings.MEDIA_URL))

print(redirect_url)
return FileResponse(open(redirect_url))
4 changes: 0 additions & 4 deletions nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,6 @@ http {
location /static/ {
alias /usr/share/nginx/html/static/;
}
location /media/ {
add_header Content-Disposition attachment;
alias /usr/share/nginx/html/media/;
}
location / {
include /run/defectdojo/uwsgi_pass;
include /etc/nginx/wsgi_params;
Expand Down
4 changes: 0 additions & 4 deletions nginx/nginx_TLS.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,6 @@ http {
location /static/ {
alias /usr/share/nginx/html/static/;
}
location /media/ {
add_header Content-Disposition attachment;
alias /usr/share/nginx/html/media/;
}
location / {
include /run/defectdojo/uwsgi_pass;
include /etc/nginx/wsgi_params;
Expand Down