Merge commit from fork

(security) Fix: Privilege Escalation Vulnerability in reNgine
yogeshojha · Feb 4, 2025 · 0c6e64f · 0c6e64f
2 parents b77d1e0 + fb2b59d
commit 0c6e64f
Show file tree

Hide file tree

Showing 6 changed files with 73 additions and 7 deletions.
diff --git a/web/api/permissions.py b/web/api/permissions.py
@@ -0,0 +1,21 @@
+from rest_framework.permissions import BasePermission
+from rest_framework.exceptions import PermissionDenied
+from rolepermissions.checkers import has_permission
+
+class HasPermission(BasePermission):
+	"""
+		This is a custom permission class for DRF that checks if the user 
+		has the required permission.
+		Usage in drf views:
+		permission_classes = [HasPermission]
+		permission_required = PERM_MODIFY_SCAN_CONFIGURATIONS
+	"""
+
+	def has_permission(self, request, view):
+		permission_code = getattr(view, 'permission_required', None)
+		if not permission_code:
+			raise PermissionDenied(detail="Permission is not specified for this view.")
+
+		if not has_permission(request.user, permission_code):
+			raise PermissionDenied(detail="This user does not have enough permissions")
+		return True
diff --git a/web/api/views.py b/web/api/views.py
@@ -19,7 +19,6 @@
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.cache import cache
 
-
 from dashboard.models import *
 from recon_note.models import *
 from reNgine.celery import app
@@ -34,7 +33,8 @@
 from startScan.models import EndPoint
 from targetApp.models import *
 from api.shared_api_tasks import import_hackerone_programs_task, sync_bookmarked_programs_task
-from .serializers import *
+from api.permissions import *
+from api.serializers import *
 
 
 logger = logging.getLogger(__name__)
@@ -333,6 +333,9 @@ def clear_all(self, request):
 
 
 class OllamaManager(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
+
 	def get(self, request):
 		"""
 		API to download Ollama Models
@@ -474,6 +477,9 @@ def get(self, request):
 
 
 class CreateProjectApi(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_TARGETS
+
 	def get(self, request):
 		req = self.request
 		project_name = req.query_params.get('name')
@@ -915,6 +921,9 @@ def post(self, request):
 
 
 class AddTarget(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_TARGETS
+
 	def post(self, request):
 		req = self.request
 		data = req.data
@@ -1050,6 +1059,9 @@ def post(self, request):
 
 
 class DeleteMultipleRows(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_TARGETS
+
 	def post(self, request):
 		req = self.request
 		data = req.data
@@ -1069,6 +1081,9 @@ def post(self, request):
 
 
 class StopScan(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_INITATE_SCANS_SUBSCANS
+
 	def post(self, request):
 		req = self.request
 		data = req.data
@@ -1166,6 +1181,9 @@ def abort_subscan(subscan):
 
 
 class InitiateSubTask(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_INITATE_SCANS_SUBSCANS
+
 	def post(self, request):
 		req = self.request
 		data = req.data
@@ -1185,6 +1203,9 @@ def post(self, request):
 
 
 class DeleteSubdomain(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SCAN_RESULTS
+
 	def post(self, request):
 		req = self.request
 		for id in req.data['subdomain_ids']:
@@ -1193,6 +1214,9 @@ def post(self, request):
 
 
 class DeleteVulnerability(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SCAN_RESULTS
+
 	def post(self, request):
 		req = self.request
 		for id in req.data['vulnerability_ids']:
@@ -1262,6 +1286,9 @@ def get(self, request):
 
 
 class UninstallTool(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
+
 	def get(self, request):
 		req = self.request
 		tool_id = req.query_params.get('tool_id')
@@ -1300,6 +1327,9 @@ def get(self, request):
 
 
 class UpdateTool(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
+
 	def get(self, request):
 		req = self.request
 		tool_id = req.query_params.get('tool_id')
@@ -1332,6 +1362,9 @@ def get(self, request):
 			return Response({'status': False, 'message': str(e)})
 
 class GetExternalToolCurrentVersion(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
+
 	def get(self, request):
 		req = self.request
 		# toolname is also the command
@@ -1368,6 +1401,9 @@ def get(self, request):
 
 
 class GithubToolCheckGetLatestRelease(APIView):
+	permission_classes = [HasPermission]
+	permission_required = PERM_MODIFY_SYSTEM_CONFIGURATIONS
+
 	def get(self, request):
 		req = self.request
 

diff --git a/web/dashboard/templates/dashboard/projects.html b/web/dashboard/templates/dashboard/projects.html
@@ -1,6 +1,8 @@
 {% extends 'base/base.html' %}
 {% load humanize %}
 {% load static %}
+{% load permission_tags %}
+
 
 {% block title %}
 Projects
@@ -49,7 +51,11 @@ <h5 class="m-0 fw-normal">{{project.name}}</h5>
                       {% if current_project.slug == project.slug %}
                       <span class="badge bg-info text-white">Current Project cannot be deleted.</span>
                       {% else %}
-                      <a href="#" onclick="delete_project({{project.id}}, '{{project.name}}')" class="btn btn-xs btn-danger"><i class="mdi mdi-trash-can-outline"></i></a>
+                        {% if request.user|can:'modify_targets' %}
+                          <a href="#" onclick="delete_project({{project.id}}, '{{project.name}}')" class="btn btn-xs btn-danger"><i class="mdi mdi-trash-can-outline"></i></a>
+                        {% else %}
+                          <button class="btn btn-xs btn-danger" disabled data-toggle="tooltip" title="Not enough permission"><i class="mdi mdi-trash-can-outline"></i></button>
+                        {% endif %}
                       {% endif %}
                     </td>
                   </tr>
@@ -69,7 +75,7 @@ <h5 class="m-0 fw-normal">{{project.name}}</h5>
   function delete_project(id, project_name){
     const delAPI = "../../delete/project/" + id;
     swal.queue([{
-      title: 'Are you sure you want to delete '+project_name +'?',
+      title: 'Are you sure you want to delete '+ project_name +'?',
       text: "You won't be able to revert this, all targets and scan results also will be deleted!",
       type: 'warning',
       showCancelButton: true,
@@ -94,7 +100,7 @@ <h5 class="m-0 fw-normal">{{project.name}}</h5>
         .catch(function() {
           swal.insertQueueStep({
             type: 'error',
-            title: 'Oops! Unable to delete the target!'
+            title: 'Oops! Unable to delete the project!'
           })
         })
       }

diff --git a/web/dashboard/views.py b/web/dashboard/views.py
@@ -295,6 +295,7 @@ def projects(request, slug):
     return render(request, 'dashboard/projects.html', context)
 
 
+@has_permission_decorator(PERM_MODIFY_TARGETS, redirect_url=FOUR_OH_FOUR_URL)
 def delete_project(request, id):
     obj = get_object_or_404(Project, id=id)
     if request.method == "POST":

diff --git a/web/reNgine/definitions.py b/web/reNgine/definitions.py
@@ -442,7 +442,7 @@
 # Roles and Permissions
 PERM_MODIFY_SYSTEM_CONFIGURATIONS = 'modify_system_configurations'
 PERM_MODIFY_SCAN_CONFIGURATIONS = 'modify_scan_configurations'
-PERM_MODIFY_TARGETS = 'modify_targets'
+PERM_MODIFY_TARGETS = 'modify_targets' # projects and targets
 PERM_MODIFY_SCAN_RESULTS = 'modify_scan_results'
 PERM_MODIFY_WORDLISTS = 'modify_wordlists'
 PERM_MODIFY_INTERESTING_LOOKUP = 'modify_interesting_lookup'

diff --git a/web/templates/base/_items/top_bar.html b/web/templates/base/_items/top_bar.html
@@ -35,7 +35,9 @@ <h5 class="text-overflow mb-2">Search History</h5>
             </a>
           {% endfor %}
           <div class="dropdown-divider"></div>
-          <a href="#" onclick="add_project_modal()" class="dropdown-item"><i class="mdi mdi-account-plus"></i> Create New Project</a>
+           {% if request.user|can:'modify_targets' %}
+            <a href="#" onclick="add_project_modal()" class="dropdown-item"><i class="mdi mdi-account-plus"></i> Create New Project</a>
+          {% endif %}
         </div>
       </li>
       {% if user|can:'modify_targets' or user|can:'modify_scan_configurations' or user|can:'modify_system_configurations' or user|can:'modify_wordlists' %}