Version 1.50.0: Contact Management redesign.

Fix CodeQL alerts 20220527 #96-102, using is_safe_url even when superfluous. Don't trust HTTP_REFERER header. Upgrade dependencies Redirect to the appropriate dashboard if bad link. Add new workflow for MFA Requests. Fix sort on vincecomm dashboard and case views by last post date, highlight cases with new posts.
CERTCC · Jul 19, 2022 · b986a86 · b986a86
1 parent 1909c00
commit b986a86
Show file tree

Hide file tree

Showing 68 changed files with 2,376 additions and 1,333 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,27 @@
 # VINCE Changelog
 
+# Version 1.50.0: 2022-07-19
+============================
+
+New MFA reset workflow
+
+Allow comments when re-assigning tickets
+
+Sorting improvements on VINCEComm Dashboard
+
+Add Vul Note download button in VINCETrack
+
+Bug Fixes
+
+# Version 1.49.0: 2022-07-19
+===========================
+
+Contact Management Updates
+
+Dependency Upgrades
+
+Bug Fixes
+
 # Version 1.48.0: 2022-05-13
 =============================
 

diff --git a/bakery/static_views.py b/bakery/static_views.py
@@ -14,7 +14,8 @@
 from django.http import HttpResponseNotModified
 from django.template import Template, Context, TemplateDoesNotExist
 from django.utils.http import http_date, parse_http_date
-
+from django.conf import settings
+from django.utils.http import is_same_domain, is_safe_url
 
 def serve(request, path, document_root=None, show_indexes=False, default=''):
     """
@@ -52,7 +53,10 @@ def serve(request, path, document_root=None, show_indexes=False, default=''):
             continue
         newpath = os.path.join(newpath, part).replace('\\', '/')
     if newpath and path != newpath:
-        return HttpResponseRedirect(newpath)
+        if is_safe_url(newpath,set(settings.ALLOWED_HOSTS),True):
+            return HttpResponseRedirect(newpath)
+        else:
+            raise Http404("Invalid or Incorrect path found")
     fullpath = os.path.join(document_root, newpath)
     if os.path.isdir(fullpath) and default:
         defaultpath = os.path.join(fullpath, default)

diff --git a/bigvince/settings_.py b/bigvince/settings_.py
@@ -56,7 +56,7 @@
 ROOT_DIR = environ.Path(__file__) - 3
 
 # any change that requires database migrations is a minor release
-VERSION = "1.48.0"
+VERSION = "1.50.0"
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.1/howto/deployment/checklist/

diff --git a/cogauth/forms.py b/cogauth/forms.py
@@ -83,6 +83,13 @@ class Meta:
             'countrycode': CountrySelectWidget()}
 
 
+class COGResetMFA(forms.Form):
+
+    reason = forms.CharField(
+        widget=forms.Textarea(),
+        label=_('Reason for MFA reset'))
+
+
 class COGInitialPWResetForm(forms.Form):
     username = forms.CharField(max_length=200, required=True, label=_("Email"))
 
@@ -260,9 +267,11 @@ class SignUpForm(UserCreationForm):
         required=False)
     email = forms.CharField(
         max_length=254,
+        widget=forms.TextInput(attrs={'autocomplete':'username'}),
         required=True,
-        help_text=_('This will be your login username. Please note that this field is CASE SENSITIVE.'),
+        help_text=_('This will be your personal login username. <b>This field is CASE SENSITIVE.</b><br/><b>PLEASE NOTE:</b> Each VINCE user account is intended to be tied to a specific individual. If you would like to use an alias (for example, <i>[email protected]</i>) to receive group notifications, please create your account here first, and once your individual account has been approved, you will have the opportunity to create a group, join an existing group, and otherwise manage the email addresses associated with your organization.'), 
         label="Email address")
+
     title = forms.CharField(
         max_length=200,
         required=False,
@@ -279,7 +288,7 @@ class SignUpForm(UserCreationForm):
     password1 = forms.CharField(
         max_length=50,
         required=True,
-        widget=forms.PasswordInput,
+        widget=forms.PasswordInput(attrs={'autocomplete':"new-password"}),
         label="New Password",
         help_text=_('Password Requirements:<ul>\
         <li>Minimum length is 8 characters</li>\
@@ -293,7 +302,7 @@ class SignUpForm(UserCreationForm):
     password2 = forms.CharField(
         max_length=50,
         required=True,
-        widget=forms.PasswordInput,
+        widget=forms.PasswordInput(attrs={'autocomplete':"new-password"}),
         label="Password confirmation",
         help_text=_('Enter the same password as before, for verification')
     )

diff --git a/cogauth/templates/cogauth/loginhelp.html b/cogauth/templates/cogauth/loginhelp.html
@@ -7,8 +7,17 @@
 
 {% block content %}
 
-<p>If you lost your multi-factor authentication (MFA) device, you will need to contact us at <a href="mailto:{{ CONTACT_EMAIL }}" ref="nofollow">{{ CONTACT_EMAIL }}</a> to reset your account.  </p>
+{% if showlink %}
+<p>If you lost your multi-factor authentication (MFA) device, you will need to initiate the MFA reset process.</p>
 
+<p><a href="{% url 'cogauth:resetmfa' %}" class="button expanded primary">Reset MFA</a></p>
+
+{% else %}
+<p>If you lost your multi-factor authentication (MFA) device, you can initiate the reset process with your username and password.  First <a href="{% url 'cogauth:login' %}">login</a> and then click the <b>Troubleshoot MFA</b> link.  You will be provided with further instructions to reset your MFA.  </p>
+<p>If you do not have your password, you can reset it <a href="{% url 'cogauth:init_password_reset' %}">here</a> and then attempt to reset your MFA.</p>
+<p>If you still need help, contact us at <a href="mailto:{{ CONTACT_EMAIL }}" ref="nofollow">{{ CONTACT_EMAIL }}</a>.
+</p>
+{% endif %}
 
 
 {% endblock %}

diff --git a/cogauth/templates/cogauth/profile.html b/cogauth/templates/cogauth/profile.html
@@ -75,7 +75,7 @@ <h3>{{ coguser.preferred_username }}</h3>
 	<td>{{ coguser.title }}</td>
       </tr>
       <tr>
-	<td>Vendor Groups:</td>
+	<td>User Groups:</td>
 	<td>{{ my_groups }}</td>
       </tr>
       <tr>

diff --git a/cogauth/templates/cogauth/resetmfa.html b/cogauth/templates/cogauth/resetmfa.html
@@ -0,0 +1,22 @@
+{% extends "vince/login.html" %}
+
+{% load i18n static %}
+
+{% block content_title %}<h3>VINCE MFA Reset</h3>{% endblock %}
+
+
+{% block content %}
+  <p>
+    Please let us know why you need us to reset your multi-factor authentication (MFA) device. To continue the reset, you must follow the directions in the email that will be sent to you upon submitting this form.  Once we receive confirmation, an analyst will reset the MFA associated with your account during business hours.</p>
+  <p>After the reset is complete, you will be prompted to re-associate your MFA device with your VINCE account upon logging in. 
+  </p>
+  <form action="." method="post" class="form">
+    {% csrf_token %}
+    {{ form }}
+    <input type="submit" class="primary button expanded search-button" value="Submit">
+  </form>
+
+{% endblock %}
+
+
+
diff --git a/cogauth/templates/cogauth/signup.html b/cogauth/templates/cogauth/signup.html
@@ -3,6 +3,8 @@
 
 {% block extrahead %}
 <script type="text/javascript" src="{% static 'vince/js/jquery.min.js' %}"></script>
+<script type="text/javascript" src="{% static 'vince/js/jquery.qtip.min.js' %}"></script>
+<link rel="stylesheet" type="text/css" href="{% static 'vince/css/jquery.qtip.min.css' %}" />
 <script type="text/javascript" src="{% static 'vince/js/signup.js' %}"></script>
 <script src="https://www.google.com/recaptcha/api.js"></script>
 {% endblock %}
@@ -13,6 +15,10 @@
 
 {% block content %}<div id="content-main">
 
+<span class="hidden" id="loginhelp">
+VINCE accounts are intended to be tied to a real person. If you would like to establish a group with multiple people (for example, <i>[email protected]</i>) and use an email list or alias for group notifications, please proceed with creating your individual account here, and once your account has been approved, you can request the creation of your group and manage the email addresses associated with your organization.
+</span>
+
 <form method="post" id="signupform" onsubmit="return noDoubleClicks(this);">{% csrf_token %}
   <div class="login-form">
     {% if form.errors %}

diff --git a/cogauth/urls.py b/cogauth/urls.py
@@ -51,13 +51,14 @@
     path('register/', views.RegisterView.as_view(), name='register'),
     path('genapikey/', views.GenerateTokenView.as_view(), name='gentoken'),
     re_path(r'^genapikey/service/(?P<vendor_id>\d+)/', views.GenerateServiceTokenView.as_view(), name='genservicetoken'),
-    path('account/help/', TemplateView.as_view(template_name='cogauth/loginhelp.html'), name='loginhelp'),
+    path('account/help/', views.LoginHelpView.as_view(), name='loginhelp'),
     path('confirmed/', TemplateView.as_view(template_name='cogauth/account_confirmed.html'), name='account_confirmed'),
     path('resetpassword/confirmed/', TemplateView.as_view(template_name='cogauth/pw_confirmed.html'), name='pw_reset_confirmed'),
     path('changePassword/', views.ChangePasswordView.as_view(template_name='cogauth/password_change_form.html'),name='password_change'),
     path('changePassword/done/', TemplateView.as_view(template_name='cogauth/password_change_done.html'), name='password_change_done'),
     path('init/resetpassword/', views.InitialPasswordResetView.as_view(), name='init_password_reset'),
     path('resetpassword/', views.ResetPasswordView.as_view(), name='passwordreset'),
+    path('reset/mfa/unauth/', views.ResetMFAView.as_view(), name='resetmfa'),
     path('changePasswordRegister/', views.ChangePasswordandRegisterView.as_view(),name='password_register'),
     path('account_activation_sent/', views.ConfirmRegister.as_view(), name='account_activation_sent'),
     path('resend/', views.ResendConfirmationCode.as_view(), name='resend'),

diff --git a/cogauth/utils.py b/cogauth/utils.py
@@ -123,7 +123,6 @@ def token_verify(token, expire_fail=False):
         logger.debug(e)
         if expire_fail:
             return False
-        pass
     except JWTError as e:
         logger.debug('JWT Signature is invalid')
         logger.debug(e)
@@ -292,6 +291,17 @@ def cognito_check_track_permissions(request):
                 else:
                     vincegroup.user_set.add(request.user)
 
+
+            if settings.COGNITO_SUPERUSER_GROUP in groups:
+                request.user.is_superuser=True
+                request.user.save()
+            else:
+                if request.user.is_superuser:
+                    logger.warning("Downgrading permissions on %s" % request.user.username)
+                    request.user.is_superuser=False
+                    request.user.save()
+
+
             for g in groups:
                 #Does COGNITO group exist in VINCE?  If so, add the user to that track group.
                 gs = GroupSettings.objects.filter(organization=g).first()
@@ -308,7 +318,8 @@ def cognito_check_track_permissions(request):
                             request.user.usersettings.contacts_write = vgroup.groupsettings.contacts_write
                             request.user.usersettings.save()
                 else:
-                    logger.info(f"LOCAL GROUP tied to Cognito group {g} doesn't exist")
+                    if g not in settings.COGNITO_SUPERUSER_GROUP:
+                        logger.info(f"LOCAL GROUP tied to Cognito group {g} doesn't exist")
 
 
             if settings.COGNITO_ADMIN_GROUP in groups:
@@ -335,8 +346,7 @@ def cognito_check_permissions(request):
                 request.user.vinceprofile.pending = False
                 request.user.vinceprofile.save()
             except:
-                logger.debug("No vinceprofile, this is probably a VINCE (not Vinny) system")
-                pass
+                logger.debug("No vinceprofile, this is probably a VINCE system")
 
         if settings.COGNITO_SUPERUSER_GROUP in groups:
             request.user.is_superuser=True