misp

fix: [security] Fixed stored xss when exporting custom clusters into … #2

Workflow file for this run

	# This is a basic workflow to help you get started with Actions

	name: misp

	# Controls when the action will run. Triggers the workflow on push or pull request
	# events but only for the 2.4 and develop branches
	on:
	push:
	branches: [ '2.5', '2.4', develop, '2.4-develop', misp-stix, taxii ]
	pull_request:
	branches: [ '2.5', '2.4', develop, '2.4-develop', misp-stix ]

	# A workflow run is made up of one or more jobs that can run sequentially or in parallel
	jobs:
	# This workflow contains a single job called "build"
	build:
	# The type of runner that the job will run on
	runs-on: ${{ matrix.os }}

	strategy:
	fail-fast: false
	matrix:
	os: [ubuntu-22.04]
	php: ['8.1', '8.3']

	# Steps represent a sequence of tasks that will be executed as part of the job
	steps:
	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- uses: actions/checkout@v4
	with:
	submodules: 'recursive'

	# Run mariadb
	- uses: getong/[email protected]
	with:
	host port: 3306
	container port: 3306
	mysql root password: 'bar'
	mysql database: 'misp'
	mysql user: 'misp'
	mysql password: 'blah'

	- uses: zhulik/[email protected]
	with:
	redis version: '5'
	number of databases: 100

	# prepare php stuff
	- name: Setup PHP
	uses: shivammathur/setup-php@v2
	with:
	php-version: ${{ matrix.php }}a
	extensions: mysql, mbstring, xml, opcache, readline, redis, gd, apcu

	- name: Initialize variables
	run: \|
	echo "USER=`id -u -n`" >> $GITHUB_ENV
	echo "HOST=localhost" >> $GITHUB_ENV

	- name: Install system deps
	env:
	php_version: ${{ matrix.php }}
	run: \|
	sudo apt-get -y update
	sudo apt-get -y install curl python3 python3-pip python3-virtualenv apache2 libapache2-mod-php$php_version

	# Runs a set of commands using the runners shell
	- name: Install deps
	run: \|
	sudo chown $USER:www-data $HOME/.composer
	pushd app
	composer config --no-plugins allow-plugins.composer/installers true
	composer install --no-progress
	popd
	cp -fa INSTALL/setup/config.php app/Plugin/CakeResque/Config/config.php

	# Set perms
	sudo chown -R $USER:www-data `pwd`
	sudo chmod -R 775 `pwd`
	sudo chmod -R g+ws `pwd`/app/tmp
	sudo chmod -R g+ws `pwd`/app/tmp/cache
	sudo chmod -R g+ws `pwd`/app/tmp/cache/persistent
	sudo chmod -R g+ws `pwd`/app/tmp/cache/models
	sudo chmod -R g+ws `pwd`/app/tmp/logs
	sudo chmod -R g+ws `pwd`/app/files
	sudo chmod -R g+ws `pwd`/app/files/scripts/tmp
	sudo chown -R $USER:www-data `pwd`

	# Resque perms
	sudo chown -R $USER:www-data `pwd`/app/Plugin/CakeResque/tmp
	sudo chmod -R 755 `pwd`/app/Plugin/CakeResque/tmp

	# Fill database with basic MISP schema
	mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "SET GLOBAL sql_mode = 'STRICT_ALL_TABLES';"
	mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "grant usage on . to misp@'%' identified by 'blah';"
	mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "grant all privileges on misp.* to misp@'%';"
	mysql -h 127.0.0.1 --port 3306 -u misp -pblah misp < INSTALL/MYSQL.sql


	# configure apache virtual hosts
	sudo mkdir -p /etc/apache2/sites-available
	sudo cp -f build/github-action-ci-apache /etc/apache2/sites-available/misp.conf
	sudo sed -e "s?%GITHUB_WORKSPACE%?$(pwd)?g" --in-place /etc/apache2/sites-available/misp.conf
	sudo sed -e "s?%HOST%?${HOST}?g" --in-place /etc/apache2/sites-available/misp.conf
	sudo a2dissite 000-default
	sudo a2ensite misp.conf
	cat /etc/apache2/sites-enabled/misp.conf
	sudo a2enmod rewrite
	sudo systemctl start --no-block apache2

	# MISP configuration
	sudo cp app/Config/bootstrap.default.php app/Config/bootstrap.php
	sudo cp build/database.php app/Config/database.php
	sudo cp app/Config/core.default.php app/Config/core.php
	sudo cp app/Config/config.default.php app/Config/config.php
	sudo cp build/email.php app/Config/email.php

	# GPG setup
	sudo mkdir `pwd`/.gnupg
	# /!\ VERY INSECURE BUT FASTER ON THE BUILD ENV OF TRAVIS
	sudo cp -a /dev/urandom /dev/random
	sudo gpg --no-tty --no-permission-warning --pinentry-mode=loopback --passphrase "travistest" --homedir `pwd`/.gnupg --gen-key --batch `pwd`/build/gpg
	sudo gpg --list-secret-keys --homedir `pwd`/.gnupg

	# change perms
	sudo chown -R $USER:www-data `pwd`
	sudo chown -R www-data:www-data `pwd`/.gnupg
	sudo chmod -R 700 `pwd`/.gnupg
	sudo usermod -a -G www-data $USER
	sudo chmod -R 777 `pwd`/app/Plugin/CakeResque/tmp/
	# Ensure the perms of config files
	sudo chown -R $USER:www-data `pwd`/app/Config
	sudo chmod -R 777 `pwd`/app/Config
	app/Console/cake Admin setSetting "MISP.server_settings_skip_backup_rotate" 1
	sudo chown -R $USER:www-data `pwd`/app/Config
	sudo chmod -R 777 `pwd`/app/Config

	# fix perms (?)
	namei -m /home/runner/work
	sudo chmod +x /home/runner/work
	sudo chmod +x /home/runner
	sudo chmod +x /home
	sudo chmod +x /

	- name: Python setup
	run: \|
	# Dirty install python stuff
	python3 -m virtualenv -p python3 ./venv
	app/Console/cake Admin setSetting "MISP.python_bin" "$GITHUB_WORKSPACE/venv/bin/python"
	. ./venv/bin/activate
	export PYTHONPATH=$PYTHONPATH:./app/files/scripts
	pip install -r requirements.txt
	pip install -r requirements-dev.txt
	deactivate

	- name: DB Update
	run: \|
	app/Console/cake Admin setSetting "MISP.osuser" $USER
	app/Console/cake Admin runUpdates
	app/Console/cake Admin schemaDiagnostics

	- name: Configure MISP
	run: \|
	app/Console/cake User init \| sudo tee ./key.txt
	echo "AUTH=`cat key.txt`" >> $GITHUB_ENV
	app/Console/cake Admin setSetting "Session.autoRegenerate" 0
	app/Console/cake Admin setSetting "Session.timeout" 600
	app/Console/cake Admin setSetting "Session.cookieTimeout" 3600
	app/Console/cake Admin setSetting "MISP.host_org_id" 1
	app/Console/cake Admin setSetting "MISP.email" "[email protected]"
	app/Console/cake Admin setSetting "MISP.disable_emailing" false
	app/Console/cake Admin setSetting --force "debug" true
	app/Console/cake Admin setSetting "Plugin.CustomAuth_disable_logout" false
	app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
	app/Console/cake Admin setSetting "MISP.redis_port" 6379
	app/Console/cake Admin setSetting "MISP.redis_database" 13
	app/Console/cake Admin setSetting "MISP.redis_password" ""
	app/Console/cake Admin setSetting "GnuPG.email" "[email protected]"
	app/Console/cake Admin setSetting "GnuPG.homedir" "`pwd`/.gnupg"
	app/Console/cake Admin setSetting "GnuPG.password" "travistest"
	app/Console/cake Admin setSetting "MISP.download_gpg_from_homedir" 1
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_host" "127.0.0.1"
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_port" 6379
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_database" 1
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_redis_password" ""
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_enable" 1
	app/Console/cake Admin setSetting "Plugin.ZeroMQ_audit_notifications_enable" 1

	- name: Update JSON
	run: app/Console/cake Admin updateJSON

	- name: Turn MISP live
	run: app/Console/cake Admin live 1

	- name: Check if Redis is ready
	run: app/Console/cake Admin redisReady

	- name: Start workers
	run: \|
	sudo chmod +x app/Console/worker/start.sh
	sudo -u www-data 'app/Console/worker/start.sh'

	- name: Test if apache is working
	run: \|
	sudo systemctl status apache2 --no-pager -l
	sudo apache2ctl -S
	curl -sS http://${HOST}

	- name: Check if dependencies working as expected
	run: \|
	sudo chmod -R 777 PyMISP
	pushd PyMISP
	echo 'url = "http://'${HOST}'"' >> tests/keys.py
	echo 'key = "'${AUTH}'"' >> tests/keys.py
	cat tests/keys.py
	popd
	. ./venv/bin/activate
	pushd tests
	bash ./build-test.sh
	popd
	deactivate

	- name: Run PHP tests
	run: \|
	./app/Vendor/bin/parallel-lint --exclude app/Lib/cakephp/ --exclude app/Vendor/ -e php,ctp app/
	sudo -u www-data ./app/Vendor/bin/phpunit app/Test/

	- name: Clone test files
	uses: actions/checkout@v4
	with:
	repository: viper-framework/viper-test-files
	path: PyMISP/tests/viper-test-files

	- name: Run tests
	run: \|
	pushd tests
	./curl_tests_GH.sh $AUTH $HOST
	popd

	sudo chmod -R g+ws `pwd`/app/tmp/logs

	. ./venv/bin/activate
	pushd PyMISP
	cp tests/keys.py .
	python -m pytest -v --durations=0 tests/test_mispevent.py
	python -m pytest -v --durations=0 tests/testlive_comprehensive.py
	popd
	python tests/testlive_comprehensive_local.py -v
	python tests/testlive_sync.py -v
	python tests/testlive_security.py -v
	cp PyMISP/tests/keys.py PyMISP/examples/events/
	pushd PyMISP/examples/events/
	python ./create_massive_dummy_events.py -l 5 -a 30
	popd
	pip install jsonschema
	python tools/misp-feed/validate.py
	deactivate

	- name: Check requirements.txt
	run: python tests/check_requirements.py

	- name: System logs
	if: ${{ always() }}
	# update logs_test.sh when adding more logsources here
	run: \|
	tail -n +1 `pwd`/app/tmp/logs/*
	tail -n +1 /var/log/apache2/*.log

	- name: Application logs
	if: ${{ always() }}
	run: \|
	app/Console/cake Log export /tmp/logs.json.gz --without-changes
	zcat /tmp/logs.json.gz

	- name: Errors in Logs
	if: ${{ always() }}
	run: \|
	./tests/logs_tests.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: [security] Fixed stored xss when exporting custom clusters into … #2

Workflow file

fix: [security] Fixed stored xss when exporting custom clusters into … #2

Jobs

Run details

Workflow file for this run