Skip to content

Commit

Permalink
chg: [security] Added setting to restrict the encoding of local feeds
Browse files Browse the repository at this point in the history 
- By adding local feeds, a malicious administrator could point MISP to ingest configuration files that the apache user has access to
- This includes some more sensitive files (database.php / config.php / .gnupg data)
- Whilst this is currently not leading to an exploitable vulnerability as the current implementation wouldn't trigger on the values,
  having a setting to disable this will become much more interesting once we have a system in place for custom feed parsers
- The setting can only be enabled/disabled via the CLI

- As reported by Matthias Weckbecker
  • Loading branch information
@iglocska
iglocska committed Mar 30, 2020
1 parent 88331da commit 30ff4b6
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 10 deletions.
4 changes: 2 additions & 2 deletions app/Controller/FeedsController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -246,7 +246,7 @@ public function add()
$this->Flash->success($message);
$this->redirect(array('controller' => 'feeds', 'action' => 'index'));
} else {
$message = __('Feed could not be added. Invalid field: %s', array_keys($this->Feed->validationErrors)[0]);
$message = __('Feed could not be added. Reason: %s', json_encode($this->Feed->validationErrors));
if ($this->_isRest()) {
return $this->RestResponse->saveFailResponse('Feeds', 'add', false, $message, $this->response->type());
}
Expand Down Expand Up @@ -345,7 +345,7 @@ public function edit($feedId)
$this->Flash->success($message);
$this->redirect(array('controller' => 'feeds', 'action' => 'index'));
} else {
$message = __('Feed could not be updated. Invalid fields: %s', implode(', ', array_keys($this->Feed->validationErrors)));
$message = __('Feed could not be updated. Reason: %s', json_encode($this->Feed->validationErrors));
if ($this->_isRest()) {
return $this->RestResponse->saveFailResponse('Feeds', 'add', false, $message, $this->response->type());
}
Expand Down
25 changes: 25 additions & 0 deletions app/Model/Feed.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,10 @@ class Feed extends AppModel
'event_id' => array(
'rule' => array('numeric'),
'message' => 'Please enter a numeric event ID or leave this field blank.',
),
'input_source' => array(
'rule' => 'validateInputSource',
'message' => ''
)
);

Expand All @@ -47,6 +51,27 @@ class Feed extends AppModel
)
);

public function validateInputSource($fields)
{
if (!empty($this->data['Feed']['input_source'])) {
$localAllowed = empty(Configure::read('Security.disable_local_feed_access'));
$validOptions = array('network');
if ($localAllowed) {
$validOptions[] = 'local';
}
if (!in_array($this->data['Feed']['input_source'], $validOptions)) {
return __(
'Invalid input source. The only valid options are %s. %s',
implode(', ', $validOptions),
(!$localAllowed && $this->data['Feed']['input_source'] === 'local') ?
__('Security.disable_local_feed_access is currently enabled, local feeds are thereby not allowed.') :
''
);
}
}
return true;
}

public function urlOrExistingFilepath($fields)
{
if ($this->isFeedLocal($this->data)) {
Expand Down
10 changes: 10 additions & 0 deletions app/Model/Server.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1295,6 +1295,16 @@ public function __construct($id = false, $table = null, $ds = null)
'type' => 'boolean',
'null' => true
),
'disable_local_feed_access' => array(
'level' => 0,
'description' => __('Disabling this setting will allow the creation/modification of local feeds (as opposed to network feeds). Enabling this setting will restrict feed sources to be network based only. When disabled, keep in mind that a malicious site administrator could get access to any arbitrary file on the system that the apache user has access to. Make sure that proper safe-guards are in place. This setting can only be modified via the CLI.'),
'value' => false,
'errorMessage' => '',
'test' => 'testBool',
'type' => 'boolean',
'null' => true,
'cli_only' => 1
),
'allow_unsafe_apikey_named_param' => array(
'level' => 0,
'description' => __('Allows passing the API key via the named url parameter "apikey" - highly recommended not to enable this, but if you have some dodgy legacy tools that cannot pass the authorization header it can work as a workaround. Again, only use this as a last resort.'),
Expand Down
20 changes: 15 additions & 5 deletions app/View/Feeds/add.ctp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,16 @@
<?php echo $this->Form->create('Feed');?>
<fieldset>
<legend><?php echo __('Add MISP Feed');?></legend>
<p><?php echo __('Add a new MISP feed source.');?></p>
<?php
echo $this->Form->input('enabled', array());
echo $this->Form->input('caching_enabled', array('label' => __('Caching enabled')));
<?php
if (!empty(Configure::read('Security.disable_local_feed_access'))) {
echo sprintf(
'<p class="red bold">%s</p>',
__('Warning: local feeds are currently disabled by policy, to re-enable the feature, set the Security.allow_local_feed_access flag in the server settings. This setting can only be set via the CLI.')
);
}
echo '<p>' . __('Add a new MISP feed source.') . '</p>';
echo $this->Form->input('enabled', array());
echo $this->Form->input('caching_enabled', array('label' => __('Caching enabled')));
?>
<div class="input clear"></div>
<?php
Expand All @@ -21,10 +27,14 @@
'placeholder' => __('Name of the content provider'),
'class' => 'form-control span6'
));
$options = array('network' => 'Network');
if (empty(Configure::read('Security.disable_local_feed_access'))) {
$options['local'] = 'Local';
}
echo $this->Form->input('input_source', array(
'label' => __('Input Source'),
'div' => 'input clear',
'options' => array('network' => 'Network', 'local' => 'Local'),
'options' => $options,
'class' => 'form-control span6'
));
?>
Expand Down
16 changes: 13 additions & 3 deletions app/View/Feeds/edit.ctp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,14 @@
<?php echo $this->Form->create('Feed');?>
<fieldset>
<legend><?php echo __('Edit MISP Feed');?></legend>
<p><?php echo __('Edit a new MISP feed source.');?></p>
<?php
<?php
if (!empty(Configure::read('Security.disable_local_feed_access'))) {
echo sprintf(
'<p class="red bold">%s</p>',
__('Warning: local feeds are currently disabled by policy, to re-enable the feature, set the Security.allow_local_feed_access flag in the server settings. This setting can only be set via the CLI.')
);
}
echo '<p>' . __('Edit a new MISP feed source.') . '</p>';
echo $this->Form->input('enabled', array(
'type' => 'checkbox'
));
Expand All @@ -26,9 +32,13 @@
'placeholder' => __('Name of the content provider'),
'class' => 'form-control span6'
));
$options = array('network' => 'Network');
if (empty(Configure::read('Security.disable_local_feed_access'))) {
$options['local'] = 'Local';
}
echo $this->Form->input('input_source', array(
'div' => 'input clear',
'options' => array('network' => 'Network', 'local' => 'Local'),
'options' => $options,
'class' => 'form-control span6'
));
?>
Expand Down

0 comments on commit 30ff4b6

Please sign in to comment.