Skip to content

Commit

Permalink
Merge pull request #62 from sei-vsarvepalli/version-1.50.5
Browse files Browse the repository at this point in the history
Version 1.50.5
  • Loading branch information
sei-vsarvepalli authored Oct 26, 2022
2 parents 7e4a651 + 21a7986 commit 213dcd9
Show file tree
Hide file tree
Showing 31 changed files with 618 additions and 319 deletions.
75 changes: 35 additions & 40 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,61 +1,56 @@
# VINCE Changelog

Version 1.50.4: 2022-10-05
==========================
## Version 1.50.5: 2022-10-25

UI improvements for vincetrack for search experience
Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used
Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257)
* Updates to settings_.py to match public GitHub
* UI tweaks for Loading div, asynchronous search via delaySearch
* Add Access-Control-Origin header to CSAF output for Secvisogram
* Fix Python Pickle Code Injection vulnerability reported by Rapid7 researcher Marcus Chang CVE-2022-40238
* Address reported failure with better error reporting from Encrypt-and-Send
* Avoid TimeZone spurious warning errors flooding logs

## Version 1.50.4: 2022-10-05

Version 1.50.3: 2022-09-16
==========================
* UI improvements for vincetrack for search experience
* Performance tweaks for Tickets search use $queryset.count() instead len($queryset) when pagination is used
* Fix HTML injection vulnerabilities reported by Rapid7 researcher Nick Sanzotta (CVE-2022-40248,CVE-2022-40257)

Full support for CSAF 2.0 export of vulnerability Case
Fix for a number of Views to avoid digit parameter confusion
Add view CSAF and VINCE JSON to support download of Case data in machine-readable format
If upgrading, make sure you verify settings.py has new variables `CONTACT_PHONE` `ORG_POLICY_URL` and `ORG_AUTHORITY` populated.

## Version 1.50.3: 2022-09-16

Version 1.50.2: 2022-08-29
-=========================
* Full support for CSAF 2.0 export of vulnerability Case
* Fix for a number of Views to avoid digit parameter confusion
* Add view CSAF and VINCE JSON to support download of Case data in machine-readable format
* If upgrading, make sure you verify settings.py has new variables `CONTACT_PHONE` `ORG_POLICY_URL` and `ORG_AUTHORITY` populated.

Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research [#51](https://github.com/CERTCC/VINCE/issues/51)
Removed lxml library no longer in use in requirements.txt - reported by dependabot via [#38](https://github.com/CERTCC/VINCE/pull/38)
Add [DISABLED] Keyword for users in `inactive` status in vincetrack `Teams` menu view.

## Version 1.50.2: 2022-08-29

Version 1.50.1: 2022-08-08
==========================
* Resolves issue of enumerating user_id and group_id - reported by Sharon Brizinov of Claroty Research [#51](https://github.com/CERTCC/VINCE/issues/51)
* Removed lxml library no longer in use in requirements.txt - reported by dependabot via [#38](https://github.com/CERTCC/VINCE/pull/38)
* Add [DISABLED] Keyword for users in `inactive` status in vincetrack `Teams` menu view.

BugFix for API key generation issue. The generate_key method was disabled accidentally

## Version 1.50.1: 2022-08-08

# Version 1.50.0: 2022-07-19
============================
* BugFix for API key generation issue. The generate_key method was disabled accidentally

New MFA reset workflow

Allow comments when re-assigning tickets
## Version 1.50.0: 2022-07-19

Sorting improvements on VINCEComm Dashboard
* New MFA reset workflow
* Allow comments when re-assigning tickets
* Sorting improvements on VINCEComm Dashboard
* Add Vul Note download button in VINCETrack
* Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh [#45](https://github.com/CERTCC/VINCE/issues/45)
* Bug Fixes

Add Vul Note download button in VINCETrack
## Version 1.49.0: 2022-07-19

Fixed open redirect vulnerability (CVE-2022-25799)[https://nvd.nist.gov/vuln/detail/CVE-2022-25799] reported by Jonathan Leitschuh [#45](https://github.com/CERTCC/VINCE/issues/45)
* Contact Management Updates
* Dependency Upgrades
* Bug Fixes

Bug Fixes
## Version 1.48.0: 2022-05-13

# Version 1.49.0: 2022-07-19
===========================

Contact Management Updates

Dependency Upgrades

Bug Fixes

# Version 1.48.0: 2022-05-13
=============================

Initial Open Source Release
* Initial Open Source Release
16 changes: 5 additions & 11 deletions bigvince/settings_.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@
ROOT_DIR = environ.Path(__file__) - 3

# any change that requires database migrations is a minor release
VERSION = "1.50.3"
VERSION = "1.50.5"

# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/
Expand Down Expand Up @@ -206,7 +206,7 @@
LOGGER_HANDLER = 'console'
# EMAIL_BACKEND = os.environ.get('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend')
EMAIL_BACKEND = os.environ.get('EMAIL_BACKEND', 'django.core.mail.backends.smtp.EmailBackend')
EMAIL_HOST = os.environ.get('EMAIL_HOST', 'smtp.vince.org')
EMAIL_HOST = os.environ.get('EMAIL_HOST', 'smtp.vince.example')
EMAIL_PORT = os.environ.get('EMAIL_PORT', 25)

#BELOW IS FOR A LOCAL (DEBUG) setup - use the local static directory
Expand Down Expand Up @@ -493,12 +493,6 @@ def get_secret(secret_arn):
# VINCETrack group
COGNITO_SUPERUSER_GROUP = os.environ.get('AWS_COGNITO_SUPERUSER_GROUP', COGNITO_ADMIN_GROUP)

# the following 2 vars can be comma separated string if more than 1 group
# anyone in the COGNITO_VINCETRACK_GROUPS will be put in a "vincetrack" local group
COGNITO_VINCETRACK_GROUPS = os.environ.get("AWS_COGNITO_VINCETRACK_GROUPS", default="Coordinator")

COGNITO_SUPERUSER_GROUP = os.environ.get('AWS_COGNITO_SUPERUSER_GROUP', "ADMIN")

#COGNITO_LIMITED_ACCESS_GROUPS can be used to give special permission to views
# in VINCECOMM

Expand Down Expand Up @@ -565,9 +559,9 @@ def get_secret(secret_arn):
}

#from emails on auto-notifications
DEFAULT_FROM_EMAIL = os.environ.get('NO_REPLY_EMAIL', "vuls+donotreply@vince.org")
DEFAULT_FROM_EMAIL = os.environ.get('NO_REPLY_EMAIL', "vuls+donotreply@vince.example")
#from for emails sent from VINCE
DEFAULT_REPLY_EMAIL = os.environ.get('REPLY_EMAIL', "vuls@vince.org")
DEFAULT_REPLY_EMAIL = os.environ.get('REPLY_EMAIL', "vuls@vince.example")

#EMAIL_BUCKET = os.environ.get('S3_EMAIL_BUCKET', 'vince-email')

Expand All @@ -585,7 +579,7 @@ def get_secret(secret_arn):

VINCE_MAX_EMAIL_LENGTH = 300000

IGNORE_EMAILS_TO = ['vuls+donotreply@vince.org']
IGNORE_EMAILS_TO = ['vuls+donotreply@vince.example']

LOGLEVEL = os.environ.get('LOGLEVEL', 'info').upper()
DJANGO_LOGLEVEL = os.environ.get('DJANGO_LOGLEVEL', 'info').upper()
Expand Down
16 changes: 7 additions & 9 deletions vince/mailer.py
Original file line number Diff line number Diff line change
Expand Up @@ -654,10 +654,10 @@ def send_templated_mail(template_name,
locale = context['queue'].get('locale') or VINCE_EMAIL_FALLBACK_LOCALE
else:
locale = VINCE_EMAIL_FALLBACK_LOCALE


context['homepage'] = f"{settings.KB_SERVER_NAME}/vince/comm/dashboard/"

try:
t = EmailTemplate.objects.get(template_name__iexact=template_name, locale=locale)
except EmailTemplate.DoesNotExist:
Expand Down Expand Up @@ -999,10 +999,9 @@ def encrypt_mail(contents, admin_email):
logger.debug(encrypted_data.ok)
logger.debug(encrypted_data.status)
logger.debug(encrypted_data.stderr)
except:
send_sns(traceback.format_exc())
logger.warning(traceback.format_exc())
logger.warning("Could not encrypt data")
except Exception as e:
logger.warning("PGP Encryption failed due to error "+str(e))
send_sns(str(e))
return None
return encrypted_data

Expand All @@ -1020,7 +1019,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
msg.add_header(_name="Content-Type", _value="multipart/mixed", protected_headers="v1")
msg["From"] = settings.DEFAULT_REPLY_EMAIL
msg["To"] = admin_email.email
#msg["Cc"] = "[email protected]"
msg['Subject'] = subject

msg_text = Message()
Expand Down Expand Up @@ -1050,7 +1048,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
pgp_msg = MIMEBase(_maintype="multipart", _subtype="encrypted", protocol="application/pgp-encrypted")
pgp_msg["From"] = settings.DEFAULT_REPLY_EMAIL
pgp_msg["To"] = admin_email.email
#pgp_msg["Cc"] = "[email protected]"
pgp_msg["Subject"] = subject

pgp_msg_part1 = Message()
Expand All @@ -1064,7 +1061,8 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
pgp_msg_part2.add_header(_name="Content-Disposition", _value="inline", filename="encrypted.asc")
try:
payload = encrypt_mail(msg.as_string(), admin_email)
except:
except Exception as e:
logger.warning("Encrypting PGP Email failed due to error "+str(e))
return f"Error encrypting data. Check key for {admin_email.email}"

if payload == None:
Expand Down
24 changes: 20 additions & 4 deletions vince/models.py
Original file line number Diff line number Diff line change
Expand Up @@ -1759,6 +1759,7 @@ def __str__(self):
return f"{self.vulnote.vulnote.case.vu_vuid} review by {self.reviewer.usersettings.preferred_username}"
else:
return f"{self.vulnote.vulnote.case.vu_vuid} review unassigned."


class EmailTemplate(models.Model):
"""
Expand Down Expand Up @@ -3952,6 +3953,9 @@ class UserSettings(models.Model):

def _set_settings(self, data):
# data should always be a Python dictionary.
if not isinstance(data,dict):
logger.warn("Non dictionary item sent to pickle %s" % str(data))
data = {}
try:
import pickle
except ImportError:
Expand All @@ -3965,12 +3969,24 @@ def _get_settings(self):
import pickle
except ImportError:
import cPickle as pickle


class RestrictedUnpickler(pickle.Unpickler):
def find_class(self, module, name):
""" If find_class gets called then return error """
raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
(module, name))
try:
from base64 import decodebytes as b64decode
return pickle.loads(b64decode(self.settings_pickled.encode('utf-8')))
except pickle.UnpicklingError:
if self.settings_pickled:
s = b64decode(self.settings_pickled.encode('utf-8'))
#replacement for pickle.loads()
return RestrictedUnpickler(io.BytesIO(s)).load()
else:
return {}
except (pickle.UnpicklingError, AttributeError) as e:
logger.warn("Error when trying to unpickle data %s " %(str(e)))
return {}
except Exception as e:
logger.warn("Generic error when trying to unpickle data %s " %(str(e)))
return {}

settings = property(_get_settings, _set_settings)
Expand Down
30 changes: 20 additions & 10 deletions vince/static/vince/js/activity_search.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,28 +55,38 @@ function nextActivity(page) {

}

var priorSearchReq = null;
var txhr = null;

function searchActivity(e) {
if (e) {
e.preventDefault();
}
$("#searchresults").html("<p class=\"loading text-center\"><span>L</span><span>O</span><span>A</span><span>D</span><span>I</span><span>N</span><span>G</span></p>");
$("#id_page").val("1");
var url = "/vince/activity/results/";

if(priorSearchReq) {
priorSearchReq.abort();
if(window.txhr && 'abort' in window.txhr) {
window.txhr.abort();
}

priorSearchReq = $.ajax({
lockunlock(true,'div.mainbody,div.vtmainbody','#searchresults');
txhr = $.ajax({
url: url,
type: "POST",
data: $('#searchform').serialize(),
success: function(data) {
$("#searchresults").html(data);
}
});
success: function(data) {
lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
$("#searchresults").html(data);
},
error: function() {
lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
console.log(arguments);
alert("Search failed or canceled! See console log for details.");
},
complete: function() {
/* Just safety net */
lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
window.txhr = null;
}
});
}


Expand Down
24 changes: 17 additions & 7 deletions vince/static/vince/js/allsearch.js
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,6 @@ function nextResults(page) {

}



function searchAll(e) {
if (e) {
e.preventDefault();
Expand All @@ -64,14 +62,26 @@ function searchAll(e) {
}

var data = $('#searchall').serialize() + "&facet=" + facet;
$.ajax({
lockunlock(true,'div.mainbody,div.vtmainbody','#searchresults');
window.txhr = $.ajax({
url: url,
type: "GET",
data: data,
success: function(data) {
$("#searchresults").html(data);
}
});
success: function(data) {
lockunlock(false);
$("#searchresults").html(data);
},
error: function() {
lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
console.log(arguments);
alert("Search failed or canceled! See console log for details.");
},
complete: function() {
/* Just safety net */
lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
window.txhr = null;
}
});
}

$(document).ready(function() {
Expand Down
Loading

0 comments on commit 213dcd9

Please sign in to comment.