Merge branch 'develop' into 2.4

README.md

@@ -108,16 +108,16 @@ License
 
 This software is licensed under [GNU Affero General Public License version 3](http://www.gnu.org/licenses/agpl-3.0.html)
 
-* Copyright (C) 2012-2022 Christophe Vandeplas
+* Copyright (C) 2012-2023 Christophe Vandeplas
 * Copyright (C) 2012 Belgian Defence
 * Copyright (C) 2012 NATO / NCIRC
-* Copyright (C) 2013-2022 Andras Iklody
-* Copyright (C) 2015-2022 CIRCL - Computer Incident Response Center Luxembourg
+* Copyright (C) 2013-2023 Andras Iklody
+* Copyright (C) 2015-2023 CIRCL - Computer Incident Response Center Luxembourg
 * Copyright (C) 2016 Andreas Ziegler
-* Copyright (C) 2018-2022 Sami Mokaddem
-* Copyright (C) 2018-2022 Christian Studer
-* Copyright (C) 2015-2022 Alexandre Dulaunoy
+* Copyright (C) 2018-2023 Sami Mokaddem
+* Copyright (C) 2018-2023 Christian Studer
+* Copyright (C) 2015-2023 Alexandre Dulaunoy
 * Copyright (C) 2018-2022 Steve Clement
-* Copyright (C) 2020-2022 Jakub Onderka
+* Copyright (C) 2020-2023 Jakub Onderka
 
 For more information, [the list of authors and contributors](AUTHORS) is available.

VERSION.json

@@ -1 +1 @@
-{"major":2, "minor":4, "hotfix":167}
+{"major":2, "minor":4, "hotfix":168}

app/Controller/AppController.php

@@ -34,7 +34,7 @@ class AppController extends Controller
     public $helpers = array('OrgImg', 'FontAwesome', 'UserName');
 
     private $__queryVersion = '147';
-    public $pyMispVersion = '2.4.167';
+    public $pyMispVersion = '2.4.168';
     public $phpmin = '7.2';
     public $phprec = '7.4';
     public $phptoonew = '8.0';
@@ -152,20 +152,25 @@ public function beforeFilter()
         }
 
         $this->User = ClassRegistry::init('User');
-        if ($this->Auth->user()) {
-            if ($this->User->checkForSessionDestruction($this->Auth->user('id'))) {
-                $this->Auth->logout();
-                $this->Session->destroy();
-                $message = __('User deauthenticated on administrator request. Please reauthenticate.');
-                if ($this->_isRest()) {
-                    throw new ForbiddenException($message);
-                } else {
-                    $this->Flash->warning($message);
-                    $this->_redirectToLogin();
-                }
-            }
+
+        if (!empty($this->request->params['named']['disable_background_processing'])) {
+            Configure::write('MISP.background_jobs', 0);
         }
 
+        Configure::write('CurrentController', $controller);
+        Configure::write('CurrentAction', $action);
+        $versionArray = $this->User->checkMISPVersion();
+        $this->mispVersion = implode('.', $versionArray);
+        $this->Security->blackHoleCallback = 'blackHole';
+
+        // send users away that are using ancient versions of IE
+        // Make sure to update this if IE 20 comes out :)
+        if (isset($_SERVER['HTTP_USER_AGENT'])) {
+            if (preg_match('/(?i)msie [2-8]/', $_SERVER['HTTP_USER_AGENT']) && !strpos($_SERVER['HTTP_USER_AGENT'], 'Opera')) {
+                throw new MethodNotAllowedException('You are using an unsecure and outdated version of IE, please download Google Chrome, Mozilla Firefox or update to a newer version of IE. If you are running IE9 or newer and still receive this error message, please make sure that you are not running your browser in compatibility mode. If you still have issues accessing the site, get in touch with your administration team at ' . Configure::read('MISP.contact'));
+            }
+        }
+
         // For fresh installation (salt empty) generate a new salt
         if (!Configure::read('Security.salt')) {
             $this->User->Server->serverSettingsSaveValue('Security.salt', $this->User->generateRandomPassword(32));
@@ -176,6 +181,10 @@ public function beforeFilter()
             $this->User->Server->serverSettingsSaveValue('MISP.uuid', CakeText::uuid());
         }
 
+        /**
+         * Authentication related activities
+         */
+
         // Check if Apache provides kerberos authentication data
         $authUserFields = $this->User->describeAuthFields();
         $envvar = Configure::read('ApacheSecureAuth.apacheEnv');
@@ -191,22 +200,7 @@ public function beforeFilter()
         } else {
             $this->Auth->authenticate[AuthComponent::ALL]['userFields'] = $authUserFields;
         }
-        if (!empty($this->request->params['named']['disable_background_processing'])) {
-            Configure::write('MISP.background_jobs', 0);
-        }
-        Configure::write('CurrentController', $controller);
-        Configure::write('CurrentAction', $action);
-        $versionArray = $this->User->checkMISPVersion();
-        $this->mispVersion = implode('.', $versionArray);
-        $this->Security->blackHoleCallback = 'blackHole';
-
-        // send users away that are using ancient versions of IE
-        // Make sure to update this if IE 20 comes out :)
-        if (isset($_SERVER['HTTP_USER_AGENT'])) {
-            if (preg_match('/(?i)msie [2-8]/', $_SERVER['HTTP_USER_AGENT']) && !strpos($_SERVER['HTTP_USER_AGENT'], 'Opera')) {
-                throw new MethodNotAllowedException('You are using an unsecure and outdated version of IE, please download Google Chrome, Mozilla Firefox or update to a newer version of IE. If you are running IE9 or newer and still receive this error message, please make sure that you are not running your browser in compatibility mode. If you still have issues accessing the site, get in touch with your administration team at ' . Configure::read('MISP.contact'));
-            }
-        }
+
         $userLoggedIn = false;
         if (Configure::read('Plugin.CustomAuth_enable')) {
             $userLoggedIn = $this->__customAuthentication($_SERVER);
@@ -528,12 +522,24 @@ private function __verifyUser(array $user)
                 }
                 $this->Flash->info($message);
                 $this->Auth->logout();
-                throw new MethodNotAllowedException($message);//todo this should pb be removed?
+                $this->_redirectToLogin();
+                return false;
             } else {
                 $this->Flash->error(__('Warning: MISP is currently disabled for all users. Enable it in Server Settings (Administration -> Server Settings -> MISP tab -> live). An update might also be in progress, you can see the progress in ') , array('params' => array('url' => $this->baseurl . '/servers/updateProgress/', 'urlName' => __('Update Progress')), 'clear' => 1));
             }
         }
 
+        // kill existing sessions for a user if the admin/instance decides so
+        // exclude API authentication as it doesn't make sense
+        if (!$this->isApiAuthed && $this->User->checkForSessionDestruction($user['id'])) {
+            $this->Auth->logout();
+            $this->Session->destroy();
+            $message = __('User deauthenticated on administrator request. Please reauthenticate.');
+            $this->Flash->warning($message);
+            $this->_redirectToLogin();
+            return false;
+        }
+
         // Force logout doesn't make sense for API key authentication
         if (!$this->isApiAuthed && $user['force_logout']) {
             $this->User->id = $user['id'];

app/Controller/AuditLogsController.php

@@ -192,10 +192,13 @@ public function eventIndex($eventId, $org = null)
             $list[$k]['AuditLog']['action_human'] = $this->actions[$item['AuditLog']['action']];
         }
 
-        $this->set('list', $list);
+        $this->set('data', $list);
         $this->set('event', $event);
         $this->set('mayModify', $this->__canModifyEvent($event));
-        $this->set('title_for_layout', __('Audit logs for event #%s', $event['Event']['id']));
+        $this->set('menuData', [
+            'menuList' => 'event',
+            'menuItem' => 'eventLog'
+        ]);
     }
 
     public function fullChange($id)

app/Controller/Component/ACLComponent.php

@@ -125,7 +125,7 @@ class ACLComponent extends Component
             'decayingModel' => array(
                 "update" => array(),
                 "export" => array('*'),
-                "import" => array('*'),
+                "import" => array('OR' => array('perm_admin', 'perm_decaying')),
                 "view" => array('*'),
                 "index" => array('*'),
                 "add" => array( 'OR' => array('perm_admin', 'perm_decaying')),

app/Controller/Component/CRUDComponent.php

@@ -114,7 +114,7 @@ public function add(array $params = [])
                     $this->Controller->Flash->success($message);
                     if (!empty($params['displayOnSuccess'])) {
                         $this->Controller->set('entity', $data);
-                        $this->Controller->set('referer', $this->Controller->referer());
+                        $this->Controller->set('referer', $this->Controller->referer(['action' => 'view', $model->id], true));
                         $this->Controller->render($params['displayOnSuccess']);
                         return;
                     }

app/Controller/ServersController.php

@@ -1726,6 +1726,7 @@ public function testConnection($id = false)
         if (!$server) {
             throw new NotFoundException(__('Invalid server'));
         }
+        @session_write_close(); // close session to allow concurrent requests
         $result = $this->Server->runConnectionTest($server);
         if ($result['status'] == 1) {
             if (isset($result['info']['version']) && preg_match('/^[0-9]+\.+[0-9]+\.[0-9]+$/', $result['info']['version'])) {

app/Controller/ShadowAttributesController.php

@@ -62,8 +62,10 @@ private function __accept($id)
         // If the old_id is set to anything but 0 then we're dealing with a proposed edit to an existing attribute
         if ($shadow['old_id'] != 0) {
             // Find the live attribute by the shadow attribute's uuid, so we can begin editing it
-            $this->Attribute->contain = 'Event';
-            $activeAttribute = $this->Attribute->findByUuid($shadow['uuid']);
+            $activeAttribute = $this->Attribute->find('first', [
+                'conditions' => ['Attribute.uuid' => $shadow['uuid']],
+                'contain' => ['Event'],
+            ]);
 
             // Send those away that shouldn't be able to edit this
             if (!$this->__canModifyEvent($activeAttribute)) {

app/Controller/UsersController.php

@@ -1230,6 +1230,11 @@ public function login()
                     $this->Bruteforce->insert($this->request->data['User']['email']);
                 }
             }
+
+            //
+            // Actions needed for the first access, when the database is not populated yet.
+            // 
+
             // populate the DB with the first role (site admin) if it's empty
             if (!$this->User->Role->hasAny()) {
                 $siteAdmin = array('Role' => array(
@@ -1279,7 +1284,6 @@ public function login()
                 }
                 $org_id = $this->User->Organisation->id;
             }
-
             // populate the DB with the first user if it's empty
             if (!$this->User->hasAny()) {
                 if (!isset($org_id)) {
@@ -1291,7 +1295,6 @@ public function login()
                         $org_id = $firstOrg['Organisation']['id'];
                     }
                 }
-
                 $this->User->runUpdates();
                 $this->User->createInitialUser($org_id);
             }
@@ -1300,25 +1303,25 @@ public function login()
 
     private function _postlogin()
     {
-      $this->User->extralog($this->Auth->user(), "login");
-      $this->User->Behaviors->disable('SysLogLogable.SysLogLogable');
-      $this->User->id = $this->Auth->user('id');
-      $user = $this->User->find('first', array(
-          'conditions' => array(
-              'User.id' => $this->Auth->user('id')
-          ),
-          'recursive' => -1
-      ));
-      unset($user['User']['password']);
-      $this->User->updateLoginTimes($user['User']);
-      $lastUserLogin = $user['User']['last_login'];
-      $this->User->Behaviors->enable('SysLogLogable.SysLogLogable');
-      if ($lastUserLogin) {
-          $readableDatetime = (new DateTime())->setTimestamp($lastUserLogin)->format('D, d M y H:i:s O'); // RFC822
-          $this->Flash->info(__('Welcome! Last login was on %s', $readableDatetime));
-      }
-      // no state changes are ever done via GET requests, so it is safe to return to the original page:
-      $this->redirect($this->Auth->redirectUrl());
+        $this->User->extralog($this->Auth->user(), "login");
+        $this->User->Behaviors->disable('SysLogLogable.SysLogLogable');
+        $this->User->id = $this->Auth->user('id');
+        $user = $this->User->find('first', array(
+            'conditions' => array(
+                'User.id' => $this->Auth->user('id')
+            ),
+            'recursive' => -1
+        ));
+        unset($user['User']['password']);
+        $this->User->updateLoginTimes($user['User']);
+        $lastUserLogin = $user['User']['last_login'];
+        $this->User->Behaviors->enable('SysLogLogable.SysLogLogable');
+        if ($lastUserLogin) {
+            $readableDatetime = (new DateTime())->setTimestamp($lastUserLogin)->format('D, d M y H:i:s O'); // RFC822
+            $this->Flash->info(__('Welcome! Last login was on %s', $readableDatetime));
+        }
+        // no state changes are ever done via GET requests, so it is safe to return to the original page:
+        $this->redirect($this->Auth->redirectUrl());
     }
 
     public function routeafterlogin()

app/View/AuditLogs/event_index.ctp

@@ -1,48 +1,59 @@
-<div class="logs index">
-<h2><?= __('Audit logs for event #%s', intval($event['Event']['id'])) ?></h2>
-    <div class="pagination">
-        <ul>
-            <?php
-            $paginator = $this->LightPaginator->prev('&laquo; ' . __('previous'), array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'prev disabled', 'escape' => false, 'disabledTag' => 'span'));
-            $paginator .= $this->LightPaginator->next(__('next') . ' &raquo;', array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'next disabled', 'escape' => false, 'disabledTag' => 'span'));
-            echo $paginator;
-            ?>
-            <li><a href="<?= $baseurl . '/logs/event_index/' . intval($event['Event']['id']) ?>"><?= __('Older logs') ?></a></li>
-        </ul>
-    </div>
-    <table class="table table-striped table-hover table-condensed">
-        <tr>
-            <th><?= $this->LightPaginator->sort('created') ?></th>
-            <th><?= $this->LightPaginator->sort('user_id', __('User')) ?></th>
-            <th><?= $this->LightPaginator->sort('org_id', __('Org')) ?></th>
-            <th><?= $this->LightPaginator->sort('action') ?></th>
-            <th><?= __('Model') ?></th>
-            <th><?= __('Title') ?></th>
-            <th><?= __('Change') ?></th>
-        </tr>
-        <?php foreach ($list as $item): ?>
-        <tr>
-            <td class="short"><?= $this->Time->time($item['AuditLog']['created']); ?></td>
-            <td class="short"><?php
-                if (isset($item['AuditLog']['user_id']) && $item['AuditLog']['user_id'] == 0) {
-                    echo __('SYSTEM');
-                } else if (isset($item['User']['email'])) {
-                    echo h($item['User']['email']);
-                } ?></td>
-            <td class="short"><?= isset($item['Organisation']) ? $this->OrgImg->getOrgLogo($item, 24) : '' ?></td>
-            <td class="short"><?= h($item['AuditLog']['action_human']) ?></td>
-            <td class="short"><?= h($item['AuditLog']['model']) . ' #' . intval($item['AuditLog']['model_id']) ?></td>
-            <td class="limitedWidth"><?= h($item['AuditLog']['title']) ?></td>
-            <td><?= $this->element('AuditLog/change', ['item' => $item]) ?></td>
-        </tr>
-        <?php endforeach; ?>
-    </table>
-    <div class="pagination">
-        <ul>
-            <?= $paginator ?>
-            <li><a href="<?= $baseurl . '/logs/event_index/' . intval($event['Event']['id']) ?>"><?= __('Older logs') ?></a></li>
-        </ul>
-    </div>
-</div>
-<?= $this->element('/genericElements/SideMenu/side_menu', ['menuList' => 'event', 'menuItem' => 'eventLog']);
-
+<?php
+echo sprintf('<div%s>', empty($ajax) ? ' class="index"' : '');
+echo $this->element('genericElements/IndexTable/index_table', [
+    'data' => [
+        'light_paginator' => 1,
+        'data' => $data,
+        'fields' => [
+            [
+                'name' => __('Created'),
+                'data_path' => 'AuditLog.created',
+                'sort' => 'AuditLog.created',
+                'class' => 'short',
+                'element' => 'time'
+            ],
+            [
+                'name' => __('User'),
+                'data_path' => 'User.email',
+                'sort' => 'User.email',
+                'class' => 'short',
+                'empty' => 'SYSTEM'
+            ],
+            [
+                'name' => __('Organisation'),
+                'data_path' => 'Organisation',
+                'sort' => 'Organisation.name',
+                'element' => 'org',
+                'class' => 'short'
+            ],
+            [
+                'name' => __('Action'),
+                'data_path' => 'AuditLog.action_human',
+                'sort' => 'AuditLog.action_human',
+                'class' => 'short'
+            ],
+            [
+                'name' => __('Model'),
+                'data_path' => 'AuditLog',
+                'element' => 'model',
+                'class' => 'short'
+            ],
+            [
+                'name' => __('Title'),
+                'data_path' => 'AuditLog.title',
+                'class' => 'limitedWidth'
+            ],
+            [
+                'name' => __('Change'),
+                'data_path' => 'AuditLog',
+                'element' => 'custom_element',
+                'element_path' => 'AuditLog/change'
+            ]
+        ],
+        'title' => __('Audit logs for event #%s', intval($event['Event']['id']))
+    ]
+]);
+echo '</div>';
+if (empty($ajax)) {
+    echo $this->element('/genericElements/SideMenu/side_menu', $menuData);
+}

app/View/AuthKeys/authkey_display.ctp

@@ -12,7 +12,7 @@
                 <pre class="quickSelect"><?= h($entity['AuthKey']['authkey_raw']) ?></pre>
             </div>
             <div class="modal-footer">
-                <a href="<?= $referer ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
+                <a href="<?= h($referer) ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
             </div>
         </div>
 <?php
@@ -22,7 +22,7 @@
         <p><?= __('Please make sure that you note down the auth key below, this is the only time the auth key is shown in plain text, so make sure you save it. If you lose the key, simply remove the entry and generate a new one.'); ?></p>
         <p><?=__('MISP will use the first and the last 4 characters for identification purposes.')?></p>
         <pre class="quickSelect"><?= h($entity['AuthKey']['authkey_raw']) ?></pre>
-        <a href="<?= $referer ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
+        <a href="<?= h($referer) ?>" class="btn btn-primary"><?= __('I have noted down my key, take me back now') ?></a>
 <?php
     }
 ?>

app/View/Elements/genericElements/IndexTable/Fields/custom_element.ctp

@@ -0,0 +1 @@
+<?= $this->element($field['element_path'], ['item' => $row]) ?>