CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

reject passwords with single or double quotes or backslashes

Browse Source
This commit is contained in:
m0duspwnens
2020-09-28 11:51:19 -04:00
parent 3ba8f47d9c
commit 85e53c53af
5 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/common/tools/sbin/so-common
View File

@@ -44,4 +44,10 @@ lookup_pillar_secret() {
check_container() { check_container() {
docker ps | grep "$1:" > /dev/null 2>&1 docker ps | grep "$1:" > /dev/null 2>&1
return $? return $?
}
check_password() {
local password=$1
echo "$password" | egrep -v "'|\"|\\\\" > /dev/null 2>&1
return $?
} }

5
salt/common/tools/sbin/so-fleet-user-add
View File

@@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then
fi fi
read -rs FLEET_PASS read -rs FLEET_PASS
if ! check_password "$FLEET_PASS"; then
echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
exit 2
fi
FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo "Failed to generate Fleet password hash." echo "Failed to generate Fleet password hash."

5
salt/common/tools/sbin/so-thehive-user-add
View File

@@ -41,6 +41,11 @@ if [[ $? == 0 ]]; then
fi fi
read -rs THEHIVE_PASS read -rs THEHIVE_PASS
if ! check_password "$THEHIVE_PASS"; then
echo "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password."
exit 2
fi
# Create new user in TheHive # Create new user in TheHive
resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}") resp=$(curl -sk -XPOST -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" "https://$THEHIVE_IP/thehive/api/user" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASS\"}")
if [[ "$resp" =~ \"status\":\"Ok\" ]]; then if [[ "$resp" =~ \"status\":\"Ok\" ]]; then

6
setup/so-functions
View File

@@ -371,7 +371,11 @@ collect_webuser_inputs() {
WPMATCH=no WPMATCH=no
while [[ $WPMATCH != yes ]]; do while [[ $WPMATCH != yes ]]; do
whiptail_create_web_user_password1 whiptail_create_web_user_password1
while ! check_password "$WEBPASSWD1"; do
whiptail_invalid_pass_characters_warning
whiptail_create_web_user_password1
done
if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then
whiptail_create_web_user_password2 whiptail_create_web_user_password2
check_web_pass check_web_pass

7
setup/so-whiptail
View File

@@ -381,6 +381,13 @@ whiptail_invalid_pass_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
} }
whiptail_invalid_pass_characters_warning() {
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75
}
whiptail_cur_close_days() { whiptail_cur_close_days() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return