Skip to content

Commit

Permalink
address some security concerns
Browse files Browse the repository at this point in the history
  • Loading branch information
@usmannasir
usmannasir committed Nov 3, 2024
1 parent d83c5a9 commit ba0831f
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 12 deletions.
14 changes: 8 additions & 6 deletions CyberCP/secMiddleware.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,9 @@ def __call__(self, request):
'cloudAPI') > -1 or FinalURL.find(
'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1:
continue
if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \
if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \
or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\
or key == 'ports' \
or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \
or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \
or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \
Expand Down Expand Up @@ -176,9 +178,10 @@ def __call__(self, request):
return HttpResponse(final_json)

except BaseException as msg:
logging.writeToFile(str(msg))
response = self.get_response(request)
return response
final_dic = {'error_message': f"Error: {str(msg)}",
"errorMessage": f"Error: {str(msg)}"}
final_json = json.dumps(final_dic)
return HttpResponse(final_json)
else:
if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile('Request does not have a body.')
Expand All @@ -197,8 +200,7 @@ def __call__(self, request):
response['X-Frame-Options'] = "sameorigin"
response['Content-Security-Policy'] = "script-src 'self' https://www.jsdelivr.com"
response['Content-Security-Policy'] = "connect-src *;"
response[
'Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com"
response['Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com"
response[
'Content-Security-Policy'] = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net"
# response['Content-Security-Policy'] = "default-src 'self' cyberpanel.cloud *.cyberpanel.cloud"
Expand Down
10 changes: 6 additions & 4 deletions plogical/applicationInstaller.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2433,7 +2433,7 @@ def DeploytoProduction(self):
logging.statusWriter(self.tempStatusPath, 'Creating database backup..,10')

command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp --allow-root --skip-plugins --skip-themes --path={StagingSite.path} db export {self.tempPath}/dbexport-stage.sql'
if ProcessUtilities.executioner(command) == 0:
if ProcessUtilities.executioner(command, StagingSite.owner.externalApp) == 0:
raise BaseException('Failed to create database backup of staging site. [404]')

command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp theme path --skip-plugins --skip-themes --allow-root --path={WPSite.path}'
Expand Down Expand Up @@ -5465,7 +5465,9 @@ def RestoreWPbackupNow(self):

command = f"ls -lh {self.tempPath}/ab"
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1)
logging.writeToFile(f'Listing files {str(stdout)}')

if os.path.exists(ProcessUtilities.debugPath):
logging.writeToFile(f'Listing files {str(stdout)}')


##### Check if Backup type is Only Database
Expand Down Expand Up @@ -5991,7 +5993,7 @@ def RestoreWPbackupNow(self):
#### replace db user

command = f'''sed -i "s/define( 'DB_USER', '.*' );/define( 'DB_USER', '{Finaldbuser}' );/" {WPpath}wp-config.php'''
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1)
result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1)

if result == 0:
raise BaseException(stdout)
Expand All @@ -6000,7 +6002,7 @@ def RestoreWPbackupNow(self):
### replace db name

command = f'''sed -i "s/define( 'DB_NAME', '.*' );/define( 'DB_NAME', '{Finaldbname}' );/" {WPpath}wp-config.php'''
result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1)
result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1)

if result == 0:
raise BaseException(stdout)
Expand Down
5 changes: 4 additions & 1 deletion plogical/firewallUtilities.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,10 @@
import django
sys.path.append('/usr/local/CyberCP')
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "CyberCP.settings")
django.setup()
try:
django.setup()
except:
pass

import plogical.CyberCPLogFileWriter as logging
import argparse
Expand Down
6 changes: 5 additions & 1 deletion websiteFunctions/website.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6623,11 +6623,15 @@ def deleteSSHKey(self, userID=None, data=None):

key = data['key']
pathToKeyFile = "/home/%s/.ssh/authorized_keys" % (domain)
website = Websites.objects.get(domain=domain)

command = f'chown {website.externalApp}:{website.externalApp} {pathToKeyFile}'
ProcessUtilities.outputExecutioner(command)

execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/firewallUtilities.py"
execPath = execPath + " deleteSSHKey --key '%s' --path %s" % (key, pathToKeyFile)

output = ProcessUtilities.outputExecutioner(execPath)
output = ProcessUtilities.outputExecutioner(execPath, website.externalApp)

if output.find("1,None") > -1:
final_dic = {'status': 1, 'delete_status': 1}
Expand Down

0 comments on commit ba0831f

Please sign in to comment.