Updates for version 1.50.5

Signed-off-by: Vijay Sarvepalli <[email protected]>
CERTCC · Oct 25, 2022 · 194c2d5 · 194c2d5
1 parent 35f3abc
commit 194c2d5
Show file tree

Hide file tree

Showing 31 changed files with 579 additions and 275 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # VINCE Changelog
 
+Version 1.50.5: 2022-10-25
+==========================
+
+Updates to settings_.py to match public GitHub
+UI tweaks for Loading div, asynchronous search via delaySearch
+Add Access-Control-Origin header to CSAF output for Secvisogram
+Fix Python Pickle Code Injection vulnerability CVE-2022-40238
+Address reported failure with better error reporting from Encrypt-and-Send
+Avoid TimeZone spurious warning errors flooding logs
+
 Version 1.50.4: 2022-10-05
 ==========================
 

diff --git a/bigvince/settings_.py b/bigvince/settings_.py
@@ -56,7 +56,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "1.50.3"
+VERSION = "1.50.5"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/
@@ -206,7 +206,7 @@
     LOGGER_HANDLER = 'console'
 #    EMAIL_BACKEND = os.environ.get('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend')
     EMAIL_BACKEND = os.environ.get('EMAIL_BACKEND', 'django.core.mail.backends.smtp.EmailBackend')
-    EMAIL_HOST = os.environ.get('EMAIL_HOST', 'smtp.vince.org')
+    EMAIL_HOST = os.environ.get('EMAIL_HOST', 'smtp.vince.example')
     EMAIL_PORT = os.environ.get('EMAIL_PORT', 25)
 
     #BELOW IS FOR A LOCAL (DEBUG) setup - use the local static directory
@@ -493,12 +493,6 @@ def get_secret(secret_arn):
 # VINCETrack group
 COGNITO_SUPERUSER_GROUP = os.environ.get('AWS_COGNITO_SUPERUSER_GROUP', COGNITO_ADMIN_GROUP)
 
-# the following 2 vars can be comma separated string if more than 1 group
-# anyone in the COGNITO_VINCETRACK_GROUPS will be put in a "vincetrack" local group
-COGNITO_VINCETRACK_GROUPS = os.environ.get("AWS_COGNITO_VINCETRACK_GROUPS", default="Coordinator")
-
-COGNITO_SUPERUSER_GROUP = os.environ.get('AWS_COGNITO_SUPERUSER_GROUP', "ADMIN")
-
 #COGNITO_LIMITED_ACCESS_GROUPS can be used to give special permission to views
 # in VINCECOMM
 
@@ -565,9 +559,9 @@ def get_secret(secret_arn):
 }
 
 #from emails on auto-notifications
-DEFAULT_FROM_EMAIL = os.environ.get('NO_REPLY_EMAIL', "vuls+donotreply@vince.org")
+DEFAULT_FROM_EMAIL = os.environ.get('NO_REPLY_EMAIL', "vuls+donotreply@vince.example")
 #from for emails sent from VINCE
-DEFAULT_REPLY_EMAIL = os.environ.get('REPLY_EMAIL', "vuls@vince.org")
+DEFAULT_REPLY_EMAIL = os.environ.get('REPLY_EMAIL', "vuls@vince.example")
 
 #EMAIL_BUCKET = os.environ.get('S3_EMAIL_BUCKET', 'vince-email')
 
@@ -585,7 +579,7 @@ def get_secret(secret_arn):
 
 VINCE_MAX_EMAIL_LENGTH = 300000
 
-IGNORE_EMAILS_TO = ['vuls+donotreply@vince.org']
+IGNORE_EMAILS_TO = ['vuls+donotreply@vince.example']
 
 LOGLEVEL = os.environ.get('LOGLEVEL', 'info').upper()
 DJANGO_LOGLEVEL = os.environ.get('DJANGO_LOGLEVEL', 'info').upper()

diff --git a/vince/mailer.py b/vince/mailer.py
@@ -654,10 +654,10 @@ def send_templated_mail(template_name,
         locale = context['queue'].get('locale') or VINCE_EMAIL_FALLBACK_LOCALE
     else:
         locale = VINCE_EMAIL_FALLBACK_LOCALE
-
+ 
 
     context['homepage'] = f"{settings.KB_SERVER_NAME}/vince/comm/dashboard/"
-        
+
     try:
         t = EmailTemplate.objects.get(template_name__iexact=template_name, locale=locale)
     except EmailTemplate.DoesNotExist:
@@ -999,10 +999,9 @@ def encrypt_mail(contents, admin_email):
         logger.debug(encrypted_data.ok)
         logger.debug(encrypted_data.status)
         logger.debug(encrypted_data.stderr)
-    except:
-        send_sns(traceback.format_exc())
-        logger.warning(traceback.format_exc())
-        logger.warning("Could not encrypt data")
+    except Exception as e:
+        logger.warning("PGP Encryption failed due to error "+str(e))
+        send_sns(str(e))
         return None
     return encrypted_data
 
@@ -1020,7 +1019,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
     msg.add_header(_name="Content-Type", _value="multipart/mixed", protected_headers="v1")
     msg["From"] = settings.DEFAULT_REPLY_EMAIL
     msg["To"] = admin_email.email
-    #msg["Cc"] = "[email protected]"
     msg['Subject'] = subject
 
     msg_text = Message()
@@ -1050,7 +1048,6 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
     pgp_msg = MIMEBase(_maintype="multipart", _subtype="encrypted", protocol="application/pgp-encrypted")
     pgp_msg["From"] = settings.DEFAULT_REPLY_EMAIL
     pgp_msg["To"] = admin_email.email
-    #pgp_msg["Cc"] = "[email protected]"
     pgp_msg["Subject"] = subject
 
     pgp_msg_part1 = Message()
@@ -1064,7 +1061,8 @@ def send_encrypted_mail(to_email, subject, contents, attachment=None):
     pgp_msg_part2.add_header(_name="Content-Disposition", _value="inline", filename="encrypted.asc")
     try:
         payload = encrypt_mail(msg.as_string(), admin_email)
-    except:
+    except Exception as e:
+        logger.warning("Encrypting PGP Email failed due to error "+str(e))
         return f"Error encrypting data. Check key for {admin_email.email}"
 
     if payload == None:

diff --git a/vince/models.py b/vince/models.py
@@ -1759,6 +1759,7 @@ def __str__(self):
             return f"{self.vulnote.vulnote.case.vu_vuid} review by {self.reviewer.usersettings.preferred_username}"
         else:
             return f"{self.vulnote.vulnote.case.vu_vuid} review unassigned."
+
 
 class EmailTemplate(models.Model):
     """
@@ -3952,6 +3953,9 @@ class UserSettings(models.Model):
 
     def _set_settings(self, data):
         # data should always be a Python dictionary.
+        if not isinstance(data,dict):
+            logger.warn("Non dictionary item sent to pickle %s" % str(data))
+            data = {}        
         try:
             import pickle
         except ImportError:
@@ -3965,12 +3969,24 @@ def _get_settings(self):
             import pickle
         except ImportError:
             import cPickle as pickle
-
-
+        class RestrictedUnpickler(pickle.Unpickler):
+            def find_class(self, module, name):
+                """ If find_class gets called then return error """
+                raise pickle.UnpicklingError("global '%s.%s' is forbidden" %
+                                             (module, name))
         try:
             from base64 import decodebytes as b64decode
-            return pickle.loads(b64decode(self.settings_pickled.encode('utf-8')))
-        except pickle.UnpicklingError:
+            if self.settings_pickled:
+                s = b64decode(self.settings_pickled.encode('utf-8'))
+                #replacement for pickle.loads()
+                return RestrictedUnpickler(io.BytesIO(s)).load()
+            else:
+                return {}
+        except (pickle.UnpicklingError, AttributeError) as e:
+            logger.warn("Error when trying to unpickle data %s " %(str(e)))
+            return {}
+        except Exception as e:
+            logger.warn("Generic error when trying to unpickle data %s " %(str(e)))
             return {}
 
     settings = property(_get_settings, _set_settings)

diff --git a/vince/static/vince/js/activity_search.js b/vince/static/vince/js/activity_search.js
@@ -55,28 +55,38 @@ function nextActivity(page) {
 
 }
 
-var priorSearchReq = null;
+var txhr = null;
 
 function searchActivity(e) {
     if (e) {
         e.preventDefault();
     }
-    $("#searchresults").html("<p class=\"loading text-center\"><span>L</span><span>O</span><span>A</span><span>D</span><span>I</span><span>N</span><span>G</span></p>");
     $("#id_page").val("1");
     var url = "/vince/activity/results/";
 
-    if(priorSearchReq) {
-        priorSearchReq.abort();
+    if(window.txhr && 'abort' in window.txhr) {
+        window.txhr.abort();
     }
-
-    priorSearchReq = $.ajax({
+    lockunlock(true,'div.mainbody,div.vtmainbody','#searchresults');
+    txhr = $.ajax({
         url: url,
         type: "POST",
         data: $('#searchform').serialize(),
-        success: function(data) {
-            $("#searchresults").html(data);
-        }
-    });
+	success: function(data) {
+	    lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
+ 	    $("#searchresults").html(data);
+	},
+	error: function() {
+	    lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
+	    console.log(arguments);
+	    alert("Search failed or canceled! See console log for details.");
+	},
+	complete: function() {
+	    /* Just safety net */
+	    lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
+	    window.txhr = null;
+ 	}
+     });
 }
 
 

diff --git a/vince/static/vince/js/allsearch.js b/vince/static/vince/js/allsearch.js
@@ -47,8 +47,6 @@ function nextResults(page) {
 
 }
 
-
-
 function searchAll(e) {
     if (e) {
         e.preventDefault();
@@ -64,14 +62,26 @@ function searchAll(e) {
     }
 
     var data = $('#searchall').serialize() + "&facet=" + facet;
-    $.ajax({
+    lockunlock(true,'div.mainbody,div.vtmainbody','#searchresults');
+    window.txhr = $.ajax({
         url: url,
         type: "GET",
         data: data,
-        success: function(data) {
-            $("#searchresults").html(data);
-        }
-    });
+	success: function(data) {
+	    lockunlock(false);
+ 	    $("#searchresults").html(data);
+	},
+	error: function() {
+	    lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
+	    console.log(arguments);
+	    alert("Search failed or canceled! See console log for details.");
+	},
+	complete: function() {
+	    /* Just safety net */
+	    lockunlock(false,'div.mainbody,div.vtmainbody','#searchresults');
+	    window.txhr = null;
+ 	}
+     });
 }
 
 $(document).ready(function() {