From 85e53c53af6617491963e37bc85742cbe23c542b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 28 Sep 2020 11:51:19 -0400 Subject: [PATCH] reject passwords with single or double quotes or backslashes --- salt/common/tools/sbin/so-common | 6 ++++++ salt/common/tools/sbin/so-fleet-user-add | 5 +++++ salt/common/tools/sbin/so-thehive-user-add | 5 +++++ setup/so-functions | 6 +++++- setup/so-whiptail | 7 +++++++ 5 files changed, 28 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 7f436a85d..e5ed79413 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -44,4 +44,10 @@ lookup_pillar_secret() { check_container() { docker ps | grep "$1:" > /dev/null 2>&1 return $? +} + +check_password() { + local password=$1 + echo "$password" | egrep -v "'|\"|\\\\" > /dev/null 2>&1 + return $? } \ No newline at end of file diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add index 265020091..4b6af2825 100755 --- a/salt/common/tools/sbin/so-fleet-user-add +++ b/salt/common/tools/sbin/so-fleet-user-add @@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then fi read -rs FLEET_PASS +if ! check_password "$FLEET_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) if [[ $? -ne 0 ]]; then echo "Failed to generate Fleet password hash." diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 3a94d8803..c0e686805 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then fi read -rs THEHIVE_PASS +if ! check_password "$THEHIVE_PASS"; then + echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." + exit 2 +fi + # Create new user in TheHive resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") if [[ "$resp" =~ \"status\":\"Ok\" ]]; then diff --git a/setup/so-functions b/setup/so-functions index 400052d30..aec5fe38a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -371,7 +371,11 @@ collect_webuser_inputs() { WPMATCH=no while [[ $WPMATCH != yes ]]; do - whiptail_create_web_user_password1 + whiptail_create_web_user_password1 + while ! check_password "$WEBPASSWD1"; do + whiptail_invalid_pass_characters_warning + whiptail_create_web_user_password1 + done if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then whiptail_create_web_user_password2 check_web_pass diff --git a/setup/so-whiptail b/setup/so-whiptail index 2996969fa..68716f7e1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -381,6 +381,13 @@ whiptail_invalid_pass_warning() { whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 } +whiptail_invalid_pass_characters_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 +} + whiptail_cur_close_days() { [ -n "$TESTING" ] && return