From ba0831f6266538cfd0112db79c3f0d81bcc2301a Mon Sep 17 00:00:00 2001 From: usmannasir Date: Sun, 3 Nov 2024 14:09:52 +0500 Subject: [PATCH] address some security concerns --- CyberCP/secMiddleware.py | 14 ++++++++------ plogical/applicationInstaller.py | 10 ++++++---- plogical/firewallUtilities.py | 5 ++++- websiteFunctions/website.py | 6 +++++- 4 files changed, 23 insertions(+), 12 deletions(-) diff --git a/CyberCP/secMiddleware.py b/CyberCP/secMiddleware.py index 28f81112d..10f5c160b 100755 --- a/CyberCP/secMiddleware.py +++ b/CyberCP/secMiddleware.py @@ -144,7 +144,9 @@ def __call__(self, request): 'cloudAPI') > -1 or FinalURL.find( 'verifyLogin') > -1 or FinalURL.find('submitUserCreation') > -1: continue - if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations' or key == 'ports' \ + if key == 'ownerPassword' or key == 'scriptUrl' or key == 'CLAMAV_VIRUS' or key == "Rspamdserver" or key == 'smtpd_milters' \ + or key == 'non_smtpd_milters' or key == 'key' or key == 'cert' or key == 'recordContentAAAA' or key == 'backupDestinations'\ + or key == 'ports' \ or key == 'imageByPass' or key == 'passwordByPass' or key == 'PasswordByPass' or key == 'cronCommand' \ or key == 'emailMessage' or key == 'configData' or key == 'rewriteRules' \ or key == 'modSecRules' or key == 'recordContentTXT' or key == 'SecAuditLogRelevantStatus' \ @@ -176,9 +178,10 @@ def __call__(self, request): return HttpResponse(final_json) except BaseException as msg: - logging.writeToFile(str(msg)) - response = self.get_response(request) - return response + final_dic = {'error_message': f"Error: {str(msg)}", + "errorMessage": f"Error: {str(msg)}"} + final_json = json.dumps(final_dic) + return HttpResponse(final_json) else: if os.path.exists(ProcessUtilities.debugPath): logging.writeToFile('Request does not have a body.') @@ -197,8 +200,7 @@ def __call__(self, request): response['X-Frame-Options'] = "sameorigin" response['Content-Security-Policy'] = "script-src 'self' https://www.jsdelivr.com" response['Content-Security-Policy'] = "connect-src *;" - response[ - 'Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com" + response['Content-Security-Policy'] = "font-src 'self' 'unsafe-inline' https://www.jsdelivr.com https://fonts.googleapis.com" response[ 'Content-Security-Policy'] = "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.jsdelivr.com https://cdnjs.cloudflare.com https://maxcdn.bootstrapcdn.com https://cdn.jsdelivr.net" # response['Content-Security-Policy'] = "default-src 'self' cyberpanel.cloud *.cyberpanel.cloud" diff --git a/plogical/applicationInstaller.py b/plogical/applicationInstaller.py index fa27583eb..910e57d09 100755 --- a/plogical/applicationInstaller.py +++ b/plogical/applicationInstaller.py @@ -2433,7 +2433,7 @@ def DeploytoProduction(self): logging.statusWriter(self.tempStatusPath, 'Creating database backup..,10') command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp --allow-root --skip-plugins --skip-themes --path={StagingSite.path} db export {self.tempPath}/dbexport-stage.sql' - if ProcessUtilities.executioner(command) == 0: + if ProcessUtilities.executioner(command, StagingSite.owner.externalApp) == 0: raise BaseException('Failed to create database backup of staging site. [404]') command = f'{FinalPHPPath} -d error_reporting=0 /usr/bin/wp theme path --skip-plugins --skip-themes --allow-root --path={WPSite.path}' @@ -5465,7 +5465,9 @@ def RestoreWPbackupNow(self): command = f"ls -lh {self.tempPath}/ab" result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) - logging.writeToFile(f'Listing files {str(stdout)}') + + if os.path.exists(ProcessUtilities.debugPath): + logging.writeToFile(f'Listing files {str(stdout)}') ##### Check if Backup type is Only Database @@ -5991,7 +5993,7 @@ def RestoreWPbackupNow(self): #### replace db user command = f'''sed -i "s/define( 'DB_USER', '.*' );/define( 'DB_USER', '{Finaldbuser}' );/" {WPpath}wp-config.php''' - result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) + result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1) if result == 0: raise BaseException(stdout) @@ -6000,7 +6002,7 @@ def RestoreWPbackupNow(self): ### replace db name command = f'''sed -i "s/define( 'DB_NAME', '.*' );/define( 'DB_NAME', '{Finaldbname}' );/" {WPpath}wp-config.php''' - result, stdout = ProcessUtilities.outputExecutioner(command, None, None, None, 1) + result, stdout = ProcessUtilities.outputExecutioner(command, VHuser, None, None, 1) if result == 0: raise BaseException(stdout) diff --git a/plogical/firewallUtilities.py b/plogical/firewallUtilities.py index ebabbbb1c..1c53d2609 100755 --- a/plogical/firewallUtilities.py +++ b/plogical/firewallUtilities.py @@ -6,7 +6,10 @@ import django sys.path.append('/usr/local/CyberCP') os.environ.setdefault("DJANGO_SETTINGS_MODULE", "CyberCP.settings") -django.setup() +try: + django.setup() +except: + pass import plogical.CyberCPLogFileWriter as logging import argparse diff --git a/websiteFunctions/website.py b/websiteFunctions/website.py index 4e724d51e..0822a03db 100755 --- a/websiteFunctions/website.py +++ b/websiteFunctions/website.py @@ -6623,11 +6623,15 @@ def deleteSSHKey(self, userID=None, data=None): key = data['key'] pathToKeyFile = "/home/%s/.ssh/authorized_keys" % (domain) + website = Websites.objects.get(domain=domain) + + command = f'chown {website.externalApp}:{website.externalApp} {pathToKeyFile}' + ProcessUtilities.outputExecutioner(command) execPath = "/usr/local/CyberCP/bin/python " + virtualHostUtilities.cyberPanel + "/plogical/firewallUtilities.py" execPath = execPath + " deleteSSHKey --key '%s' --path %s" % (key, pathToKeyFile) - output = ProcessUtilities.outputExecutioner(execPath) + output = ProcessUtilities.outputExecutioner(execPath, website.externalApp) if output.find("1,None") > -1: final_dic = {'status': 1, 'delete_status': 1}