v4.2 Development Branch #523

donaldzou · 2024-11-23T10:35:41Z

No description provided.

Merge main into bsd support

Merging latest v4.1.1 changes into v4.2.0 branch

Replace `ifcfg` with socket to get default interface address

src/dashboard.py

Fixing `auth_req` is not working

src/DashboardConfig.py

src/Utilities.py

- Fixed #497

#524

- Disabled `EmailSender` for now

- Fixed message blocking element behind - Adjusted message UI - Allow to dismiss, will not dismiss when mouse hover on it

src/Utilities.py

+    @return: Boolean indicate if the text match the regex pattern
+    """
+    pattern = re.compile(regex)
+    return pattern.search(text) is not None


src/dashboard.py

-                self.__createDatabase()
-                with open(self.__configPath, "w+") as configFile:
+                self.createDatabase()
+                with open(self.configPath, "w+") as configFile:


To fix the problem, we need to validate the user-provided ConfigurationName before using it to construct the file path. We can use os.path.normpath to normalize the path and ensure it is within a safe directory. Additionally, we can use werkzeug.utils.secure_filename to sanitize the filename.

Import secure_filename from werkzeug.utils.

Normalize the constructed path using os.path.normpath.

Ensure the normalized path starts with the intended base directory.

src/dashboard.py

-        if self.PrivateKey:
-            self.PublicKey = self.__getPublicKey()
-        self.Status = self.getStatus()
+        with open(self.configPath, 'r') as f:


To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. We can achieve this by normalizing the path using os.path.normpath and then checking that the normalized path starts with the root folder. This will prevent any path traversal attacks.

Normalize the configPath using os.path.normpath.

Check that the normalized path starts with the expected root directory.

Raise an exception if the path is not within the expected directory.

src/dashboard.py

        self.RestrictedPeers = []
        restricted = sqlSelect("SELECT * FROM '%s_restrict_access'" % self.Name).fetchall()
        for i in restricted:
            self.RestrictedPeers.append(Peer(i, self))

    def configurationFileChanged(self) :
-        mt = os.path.getmtime(os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], f'{self.Name}.conf'))
+        mt = os.path.getmtime(self.configPath)


To fix the problem, we need to ensure that the constructed file path is safe and does not allow path traversal attacks. We can achieve this by normalizing the path and ensuring it is contained within a predefined safe directory. We will use os.path.normpath to normalize the path and then check if the resulting path starts with the expected base directory.

Normalize the configPath using os.path.normpath.

Ensure the normalized path starts with the base directory.

Raise an exception if the path is not within the expected directory.

src/dashboard.py

        if self.configurationFileChanged():
            self.Peers = []
-            with open(os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], f'{self.Name}.conf'), 'r') as configFile:
+            with open(self.configPath, 'r') as configFile:


To fix the problem, we need to validate the user-provided file path to ensure it does not lead to path traversal attacks. We can achieve this by normalizing the path and ensuring it is contained within a safe root directory. This involves the following steps:

Normalize the path using os.path.normpath.

Check that the normalized path starts with the expected base directory.

Raise an exception or return an error response if the path is invalid.

src/dashboard.py

+        }
+
+        if (os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"])) and
+                os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):


To fix the problem, we need to validate and sanitize the user-provided data["Backup"] value before using it to construct file paths. We can use os.path.normpath to normalize the path and ensure it does not contain any path traversal sequences. Additionally, we should check that the resulting path is within the intended backup directory.

Normalize the data["Backup"] value using os.path.normpath.

Ensure the normalized path is within the WGDashboard_Backup directory.

Update the file path construction to use the validated and sanitized path.

src/dashboard.py

+        if (os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"])) and
+                os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+            protocol = "wg"
+        elif (os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"])) and


To fix the problem, we need to validate and sanitize the user-provided Backup value before using it in the os.path.join function. We can use the os.path.normpath function to normalize the path and ensure it does not contain any directory traversal sequences. Additionally, we should check that the resulting path is within the intended directory.

Normalize the Backup value using os.path.normpath.

Ensure the normalized path is within the WGDashboard_Backup directory.

Update the code to use the validated and sanitized path.

src/dashboard.py

+                os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+            protocol = "wg"
+        elif (os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"])) and
+              os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):


To fix the problem, we need to validate and sanitize the user-provided data["Backup"] value before using it in file path operations. We can use os.path.normpath to normalize the path and ensure it does not contain any directory traversal sequences. Additionally, we can check that the resulting path is within a predefined safe directory.

Normalize the data["Backup"] value using os.path.normpath.

Ensure the normalized path is within the WGDashboard_Backup directory.

Use the sanitized path for file operations.

src/dashboard.py


        shutil.copy(
-            os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], 'WGDashboard_Backup', data["Backup"]),
-            os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], f'{data["ConfigurationName"]}.conf')
+            os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"]),


To fix the problem, we need to ensure that the user-provided Backup value is validated and sanitized before being used in file path operations. We can achieve this by normalizing the path and ensuring it is contained within a safe root directory. This will prevent directory traversal attacks and ensure that only intended files are accessed.

Normalize the Backup path using os.path.normpath.

Ensure the normalized path starts with the intended root directory.

Raise an exception or return an error response if the validation fails.

src/dashboard.py

-            os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], 'WGDashboard_Backup', data["Backup"]),
-            os.path.join(DashboardConfig.GetConfig("Server", "wg_conf_path")[1], f'{data["ConfigurationName"]}.conf')
+            os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"]),
+            os.path.join(path[protocol], f'{data["ConfigurationName"]}.conf')


To fix the problem, we need to ensure that the ConfigurationName provided by the user does not contain any malicious input that could lead to path traversal attacks. We can achieve this by normalizing the path and ensuring it stays within a predefined safe directory. Additionally, we can use a library function like werkzeug.utils.secure_filename to sanitize the filename.

Import the secure_filename function from werkzeug.utils.

Use secure_filename to sanitize the ConfigurationName before using it in the file path.

Normalize the path and ensure it stays within the intended directory.

- Used IntersectionObserver to better render peer list, in case of too many peers will slow down browser

src/dashboard.py

+    file = request.args.get('file')
+    if file is None or len(file) == 0:
+        return ResponseObject(False, "Please specify a file")
+    if os.path.exists(os.path.join('download', file)):


To fix the problem, we need to validate the file parameter to ensure it does not contain any malicious input that could lead to path traversal attacks. The best way to do this is to normalize the path and ensure it is contained within the intended directory. We can use os.path.normpath to remove any .. segments and then check that the resulting path starts with the intended directory.

src/dashboard.py

+    if file is None or len(file) == 0:
+        return ResponseObject(False, "Please specify a file")
+    if os.path.exists(os.path.join('download', file)):
+        return send_file(os.path.join('download', file), as_attachment=True)


To fix the problem, we need to ensure that the file path constructed from user input is safe and does not allow access to files outside the intended directory. We can achieve this by normalizing the path and ensuring it starts with the intended base directory.

Normalize the path using os.path.normpath to remove any ".." segments.

Check that the normalized path starts with the 'download' directory.

donaldzou added 12 commits November 12, 2024 00:12

Update wgd.sh

3ef4798

Update wgd.sh

e963788

Update wgd.sh

b61c9bf

Update wgd.sh

b37d889

Adding support to OpenBSD

e1e147c

Merge pull request #519 from donaldzou/main

c7a4a01

Merge main into bsd support

Update dashboard.py

45fbbf9

Update dashboard.py

597528e

Update dashboard.py

71ee784

Dropping support plan to OpenBSD

8e29345

Merge pull request #520 from donaldzou/main

8ddee03

Merging latest v4.1.1 changes into v4.2.0 branch

Merge pull request #521 from donaldzou/bsd-support

94337a3

Replace `ifcfg` with socket to get default interface address

github-advanced-security bot found potential problems Nov 23, 2024

View reviewed changes

src/dashboard.py Fixed Show fixed Hide fixed

donaldzou added 2 commits November 24, 2024 00:22

Commit

8214000

commit

b8b3992

donaldzou linked an issue Nov 24, 2024 that may be closed by this pull request

v4.2.0 Road Map #461

Open

22 tasks

donaldzou added 2 commits November 25, 2024 02:48

Final build

53b2342

Merge pull request #529 from donaldzou/fix-#522

6a4d16f

Fixing `auth_req` is not working

github-advanced-security bot found potential problems Nov 25, 2024

View reviewed changes

src/DashboardConfig.py Fixed Show fixed Hide fixed

src/DashboardConfig.py Fixed Show fixed Hide fixed

src/Utilities.py Fixed Show resolved Hide resolved

donaldzou force-pushed the v4.2-dev branch from b128481 to 6a4d16f Compare November 25, 2024 13:05

donaldzou added 10 commits November 25, 2024 22:11

Refactored some of the codes

578a1db

update

6c5e054

Update dashboard.py

bf7fb89

- Fixed #497

Fixed UI

b4f3fb3

Added tooltips to dropdown icons

c9d78e3

#524

Update

68e3813

Adjusted login UI

1f5e10e

Build

d77e092

Update

cbffdd8

Update

3e2d6e7

donaldzou and others added 18 commits December 6, 2024 22:03

Update wgd.sh

a042298

Update wgd.sh

e4964da

Update wgd.sh

bcfd9fc

Update deleteConfiguration.vue

febdb2a

Build

939dd05

Update dashboard.py

00acb04

- Disabled `EmailSender` for now

Fixed message center

b4952de

- Fixed message blocking element behind - Adjusted message UI - Allow to dismiss, will not dismiss when mouse hover on it

Adjusted system status widget

d92e62e

Added sorting and search to configuration list

3e01079

Build

7b59149

Update dashboard.py

6a88959

Thanks to @NOXCIS, added this development Ubuntu Dockerfile.

bb3e00a

Update configurationList.vue

d7bc8cd

Build

907a142

HTTPS workflow

9e93f8c

Update gunicorn.conf.py

c2080bd

Working prototype with AWG

53df684

Merge branch 'dev' into v4.2-dev

ccd247d

github-advanced-security bot found potential problems Dec 12, 2024

View reviewed changes

donaldzou added 8 commits December 12, 2024 18:20

HTTPS workflow

7d7e311

Sync with HTTPS build

f425156

Update gunicorn.conf.py

c47b0c9

Update gunicorn.conf.py

c264225

Enhanced peer list rendering

f578d5c

- Used IntersectionObserver to better render peer list, in case of too many peers will slow down browser

Update

eba5be0

Build

514e1ca

Update

6899d48

github-advanced-security bot found potential problems Dec 25, 2024

View reviewed changes

Update dashboard.py

8120602

donaldzou merged commit ef7b5ac into main Dec 29, 2024

@@ -1,2 +1,3 @@
             import itertools, random, shutil, sqlite3, configparser, hashlib, ipaddress, json, traceback, os, secrets, subprocess
+            from werkzeug.utils import secure_filename
             import smtplib
@@ -473,3 +474,7 @@
                     self.Protocol = "wg" if wg else "awg"
-                    self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf') if wg else os.path.join(DashboardConfig.GetConfig("Server", "awg_conf_path")[1], f'{self.Name}.conf')
+                    safe_name = secure_filename(self.Name)
+                    base_path = self.__getProtocolPath() if wg else DashboardConfig.GetConfig("Server", "awg_conf_path")[1]
+                    self.configPath = os.path.normpath(os.path.join(base_path, f'{safe_name}.conf'))
+                    if not self.configPath.startswith(base_path):
+                        raise ValueError("Invalid configuration name resulting in path traversal")
@@ -490,3 +495,7 @@
                         self.Name = data["ConfigurationName"]
-                        self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf')
+                        safe_name = secure_filename(self.Name)
+                        base_path = self.__getProtocolPath()
+                        self.configPath = os.path.normpath(os.path.join(base_path, f'{safe_name}.conf'))
+                        if not self.configPath.startswith(base_path):
+                            raise ValueError("Invalid configuration name resulting in path traversal")

@@ -473,3 +473,6 @@
                     self.Protocol = "wg" if wg else "awg"
-                    self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf') if wg else os.path.join(DashboardConfig.GetConfig("Server", "awg_conf_path")[1], f'{self.Name}.conf')
+                    base_path = self.__getProtocolPath() if wg else DashboardConfig.GetConfig("Server", "awg_conf_path")[1]
+                    self.configPath = os.path.normpath(os.path.join(base_path, f'{self.Name}.conf'))
+                    if not self.configPath.startswith(base_path):
+                        raise ValueError("Invalid configuration path")
@@ -490,3 +493,6 @@
                         self.Name = data["ConfigurationName"]
-                        self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf')
+                        base_path = self.__getProtocolPath()
+                        self.configPath = os.path.normpath(os.path.join(base_path, f'{self.Name}.conf'))
+                        if not self.configPath.startswith(base_path):
+                            raise ValueError("Invalid configuration path")

@@ -473,3 +473,6 @@
                     self.Protocol = "wg" if wg else "awg"
-                    self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf') if wg else os.path.join(DashboardConfig.GetConfig("Server", "awg_conf_path")[1], f'{self.Name}.conf')
+                    base_path = self.__getProtocolPath() if wg else DashboardConfig.GetConfig("Server", "awg_conf_path")[1]
+                    self.configPath = os.path.normpath(os.path.join(base_path, f'{self.Name}.conf'))
+                    if not self.configPath.startswith(base_path):
+                        raise Exception("Invalid configuration path")
@@ -490,3 +493,6 @@
                         self.Name = data["ConfigurationName"]
-                        self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf')
+                        base_path = self.__getProtocolPath()
+                        self.configPath = os.path.normpath(os.path.join(base_path, f'{self.Name}.conf'))
+                        if not self.configPath.startswith(base_path):
+                            raise Exception("Invalid configuration path")

@@ -490,3 +490,6 @@
                         self.Name = data["ConfigurationName"]
-                        self.configPath = os.path.join(self.__getProtocolPath(), f'{self.Name}.conf')
+                        base_path = self.__getProtocolPath()
+                        self.configPath = os.path.normpath(os.path.join(base_path, f'{self.Name}.conf'))
+                        if not self.configPath.startswith(base_path):
+                            raise ValueError("Invalid configuration name resulting in path traversal")

@@ -2222,8 +2222,14 @@
                     }
-                    if (os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"])) and
-                            os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+                    backup_file = os.path.normpath(data["Backup"])
+                    backup_sql_file = os.path.normpath(data["Backup"].replace('.conf', '.sql'))
+                    wg_backup_path = os.path.join(path['wg'], 'WGDashboard_Backup')
+                    awg_backup_path = os.path.join(path['awg'], 'WGDashboard_Backup')
+                    if (backup_file.startswith(wg_backup_path) and os.path.exists(os.path.join(wg_backup_path, backup_file)) and
+                            os.path.exists(os.path.join(wg_backup_path, backup_sql_file))):
                         protocol = "wg"
-                    elif (os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"])) and
-                          os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+                    elif (backup_file.startswith(awg_backup_path) and os.path.exists(os.path.join(awg_backup_path, backup_file)) and
+                          os.path.exists(os.path.join(awg_backup_path, backup_sql_file))):
                         protocol = "awg"
@@ -2233,3 +2239,3 @@
                     shutil.copy(
-                        os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"]),
+                        os.path.join(path[protocol], 'WGDashboard_Backup', backup_file),
                         os.path.join(path[protocol], f'{data["ConfigurationName"]}.conf')

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v4.2 Development Branch #523

v4.2 Development Branch #523

donaldzou commented Nov 23, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

@@ -2223,7 +2223,12 @@
-                    if (os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"])) and
-                            os.path.exists(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+                    backup_path_wg = os.path.normpath(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"]))
+                    backup_path_wg_sql = os.path.normpath(os.path.join(path['wg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))
+                    backup_path_awg = os.path.normpath(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"]))
+                    backup_path_awg_sql = os.path.normpath(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))
+                    if (backup_path_wg.startswith(os.path.join(path['wg'], 'WGDashboard_Backup')) and os.path.exists(backup_path_wg) and
+                            backup_path_wg_sql.startswith(os.path.join(path['wg'], 'WGDashboard_Backup')) and os.path.exists(backup_path_wg_sql)):
                         protocol = "wg"
-                    elif (os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"])) and
-                          os.path.exists(os.path.join(path['awg'], 'WGDashboard_Backup', data["Backup"].replace('.conf', '.sql')))):
+                    elif (backup_path_awg.startswith(os.path.join(path['awg'], 'WGDashboard_Backup')) and os.path.exists(backup_path_awg) and
+                          backup_path_awg_sql.startswith(os.path.join(path['awg'], 'WGDashboard_Backup')) and os.path.exists(backup_path_awg_sql)):
                         protocol = "awg"
@@ -2233,3 +2238,3 @@
                     shutil.copy(
-                        os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"]),
+                        backup_path_wg if protocol == "wg" else backup_path_awg,
                         os.path.join(path[protocol], f'{data["ConfigurationName"]}.conf')

@@ -1,2 +1,3 @@
             import itertools, random, shutil, sqlite3, configparser, hashlib, ipaddress, json, traceback, os, secrets, subprocess
+            from werkzeug.utils import secure_filename
             import smtplib
@@ -2232,6 +2233,8 @@
-                    shutil.copy(
-                        os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"]),
-                        os.path.join(path[protocol], f'{data["ConfigurationName"]}.conf')
-                    )
+                    safe_configuration_name = secure_filename(data["ConfigurationName"])
+                    backup_path = os.path.join(path[protocol], 'WGDashboard_Backup', data["Backup"])
+                    config_path = os.path.join(path[protocol], f'{safe_configuration_name}.conf')
+                    if not os.path.commonpath([config_path, path[protocol]]) == path[protocol]:
+                        return ResponseObject(False, "Invalid configuration name.")
+                    shutil.copy(backup_path, config_path)
                     WireguardConfigurations[data['ConfigurationName']] = WireguardConfiguration(data=data, name=data['ConfigurationName']) if protocol == 'wg' else AmneziaWireguardConfiguration(data=data, name=data['ConfigurationName'])

@@ -2801,4 +2801,8 @@
                     return ResponseObject(False, "Please specify a file")
-                if os.path.exists(os.path.join('download', file)):
-                    return send_file(os.path.join('download', file), as_attachment=True)
+                safe_base_path = os.path.abspath('download')
+                full_path = os.path.abspath(os.path.join(safe_base_path, file))
+                if not full_path.startswith(safe_base_path):
+                    return ResponseObject(False, "Invalid file path")
+                if os.path.exists(full_path):
+                    return send_file(full_path, as_attachment=True)
                 else:

v4.2 Development Branch #523

v4.2 Development Branch #523

Conversation

donaldzou commented Nov 23, 2024