fix: address security review findings
This commit is contained in:
@@ -16,8 +16,8 @@ audit() {
|
||||
dir=$(dirname "$AUDIT_LOG")
|
||||
mkdir -p "$dir"
|
||||
chmod 700 "$dir"
|
||||
printf '{"timestamp":"%s","event":"%s","result":"%s","correlation":"%s","username":"%s","source_host":"%s","client_ip":"%s"}\n' \
|
||||
"$(date -u '+%Y-%m-%dT%H:%M:%SZ')" "$1" "$2" "$3" "$4" "$5" "$6" >> "$AUDIT_LOG"
|
||||
php -r '$fields=["timestamp"=>gmdate("c"),"event"=>$argv[1],"result"=>$argv[2],"correlation"=>$argv[3],"username"=>$argv[4],"source_host"=>$argv[5],"client_ip"=>$argv[6]]; echo json_encode($fields, JSON_UNESCAPED_SLASHES)."\n";' \
|
||||
"$1" "$2" "$3" "$4" "$5" "$6" >> "$AUDIT_LOG"
|
||||
chmod 600 "$AUDIT_LOG"
|
||||
}
|
||||
|
||||
@@ -66,6 +66,7 @@ TTL="${5:-}"
|
||||
USER_IP_BOUND="${6:-}"
|
||||
CLIENT_IP="${7:-}"
|
||||
REDIRECT_PATH="${8:-}"
|
||||
TIMESTAMP_ARG="${9:-}"
|
||||
|
||||
[ "$COMMAND" = "mail-login-create-url" ] || fail
|
||||
printf '%s' "$USERNAME_ARG" | grep -Eq '^[A-Za-z0-9][A-Za-z0-9._-]{0,31}$' || fail
|
||||
@@ -87,10 +88,11 @@ case "$REDIRECT_PATH" in
|
||||
//*|*\\*) fail ;;
|
||||
esac
|
||||
printf '%s' "$REDIRECT_PATH" | grep -Eq '^/[A-Za-z0-9._~%/?=+-]*$' || fail
|
||||
printf '%s' "$TIMESTAMP_ARG" | grep -Eq '^[0-9]+$' || fail
|
||||
|
||||
SERVER_CLEAN=$(clean_label "$SERVER_NAME")
|
||||
USER_CLEAN=$(clean_label "$USERNAME_ARG")
|
||||
TIMESTAMP=$(date '+%s')
|
||||
TIMESTAMP="$TIMESTAMP_ARG"
|
||||
CORRELATION="autologin-$SERVER_CLEAN-$USER_CLEAN-$TIMESTAMP"
|
||||
|
||||
if [ ${#CORRELATION} -gt 96 ]; then
|
||||
@@ -116,9 +118,10 @@ case "$URL" in
|
||||
https://*/api/login/url?key=*) ;;
|
||||
*) fail ;;
|
||||
esac
|
||||
LOGIN_URL_ID=$(printf '%s\n' "$OUTPUT" | awk 'match($0,/HASHURL[A-Z0-9]+/) {print substr($0,RSTART,RLENGTH); exit}')
|
||||
|
||||
printf '{"timestamp":%s,"expires":%s,"correlation":"%s","username":"%s","source_host":"%s","client_ip":"%s","ttl":%s,"ip_bound":%s,"redirect_path":"%s","status":"created"}\n' \
|
||||
"$TIMESTAMP" "$((TIMESTAMP + TTL))" "$CORRELATION" "$USERNAME_ARG" "$SOURCE_HOST" "$CLIENT_IP" "$TTL" "$USER_IP_BOUND" "$REDIRECT_PATH" > "$STATE_DIR/$CORRELATION.json"
|
||||
php -r '$fields=["timestamp"=>(int)$argv[1],"expires"=>(int)$argv[2],"correlation"=>$argv[3],"id"=>$argv[4],"username"=>$argv[5],"source_host"=>$argv[6],"client_ip"=>$argv[7],"ttl"=>(int)$argv[8],"ip_bound"=>(int)$argv[9],"redirect_path"=>$argv[10],"status"=>"created"]; echo json_encode($fields, JSON_UNESCAPED_SLASHES)."\n";' \
|
||||
"$TIMESTAMP" "$((TIMESTAMP + TTL))" "$CORRELATION" "$LOGIN_URL_ID" "$USERNAME_ARG" "$SOURCE_HOST" "$CLIENT_IP" "$TTL" "$USER_IP_BOUND" "$REDIRECT_PATH" > "$STATE_DIR/$CORRELATION.json"
|
||||
chmod 600 "$STATE_DIR/$CORRELATION.json"
|
||||
audit "create_login_url" "success" "$CORRELATION" "$USERNAME_ARG" "$SOURCE_HOST" "$CLIENT_IP"
|
||||
printf 'URL: %s\n' "$URL"
|
||||
|
||||
Reference in New Issue
Block a user