Fix default configurations (#597)
* fix default perms on SQLite file * seed the prng securely * fix defaults to enforce certificates verification * ensure file is within path * ensure the directory doesn't exist beforehand * verify certificate by default * disable http ip forward headers
This commit is contained in:
parent
bb25a261ad
commit
e74f221044
|
@ -5,6 +5,9 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/cwhub"
|
"github.com/crowdsecurity/crowdsec/pkg/cwhub"
|
||||||
|
@ -35,11 +38,13 @@ func backupConfigToDirectory(dirPath string) error {
|
||||||
return fmt.Errorf("directory path can't be empty")
|
return fmt.Errorf("directory path can't be empty")
|
||||||
}
|
}
|
||||||
log.Infof("Starting configuration backup")
|
log.Infof("Starting configuration backup")
|
||||||
_, err = os.Stat(dirPath)
|
/*if parent directory doesn't exist, bail out. create final dir with Mkdir*/
|
||||||
if err == nil {
|
parentDir := filepath.Dir(dirPath)
|
||||||
return fmt.Errorf("%s already exists", dirPath)
|
if _, err := os.Stat(parentDir); err != nil {
|
||||||
|
return errors.Wrapf(err, "while checking parent directory %s existence", parentDir)
|
||||||
}
|
}
|
||||||
if err = os.MkdirAll(dirPath, os.ModePerm); err != nil {
|
|
||||||
|
if err = os.Mkdir(dirPath, 0600); err != nil {
|
||||||
return fmt.Errorf("error while creating %s : %s", dirPath, err)
|
return fmt.Errorf("error while creating %s : %s", dirPath, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,10 +1,11 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
saferand "crypto/rand"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"math/rand"
|
"math/big"
|
||||||
"os"
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
@ -42,20 +43,18 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
func generatePassword(length int) string {
|
func generatePassword(length int) string {
|
||||||
rand.Seed(time.Now().UnixNano())
|
|
||||||
charset := upper + lower + digits
|
charset := upper + lower + digits
|
||||||
|
charsetLength := len(charset)
|
||||||
|
|
||||||
buf := make([]byte, length)
|
buf := make([]byte, length)
|
||||||
buf[0] = digits[rand.Intn(len(digits))]
|
for i := 0; i < length; i++ {
|
||||||
buf[1] = upper[rand.Intn(len(upper))]
|
rInt, err := saferand.Int(saferand.Reader, big.NewInt(int64(charsetLength)))
|
||||||
buf[2] = lower[rand.Intn(len(lower))]
|
if err != nil {
|
||||||
|
log.Fatalf("failed getting data from prng for password generation : %s", err)
|
||||||
for i := 3; i < length; i++ {
|
}
|
||||||
buf[i] = charset[rand.Intn(len(charset))]
|
buf[i] = charset[rInt.Int64()]
|
||||||
}
|
}
|
||||||
rand.Shuffle(len(buf), func(i, j int) {
|
|
||||||
buf[i], buf[j] = buf[j], buf[i]
|
|
||||||
})
|
|
||||||
|
|
||||||
return string(buf)
|
return string(buf)
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,7 @@ db_config:
|
||||||
max_age: 7d
|
max_age: 7d
|
||||||
api:
|
api:
|
||||||
client:
|
client:
|
||||||
insecure_skip_verify: true
|
insecure_skip_verify: false
|
||||||
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
||||||
server:
|
server:
|
||||||
log_level: info
|
log_level: info
|
||||||
|
|
|
@ -27,7 +27,7 @@ db_config:
|
||||||
port: 3306
|
port: 3306
|
||||||
api:
|
api:
|
||||||
client:
|
client:
|
||||||
insecure_skip_verify: true # default true
|
insecure_skip_verify: false # default true
|
||||||
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
||||||
server:
|
server:
|
||||||
#log_level: info
|
#log_level: info
|
||||||
|
|
|
@ -31,7 +31,7 @@ db_config:
|
||||||
max_age: 7d
|
max_age: 7d
|
||||||
api:
|
api:
|
||||||
client:
|
client:
|
||||||
insecure_skip_verify: true
|
insecure_skip_verify: false
|
||||||
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
||||||
server:
|
server:
|
||||||
log_level: info
|
log_level: info
|
||||||
|
|
|
@ -43,7 +43,7 @@ db_config:
|
||||||
max_age: 7d
|
max_age: 7d
|
||||||
api:
|
api:
|
||||||
client:
|
client:
|
||||||
insecure_skip_verify: true
|
insecure_skip_verify: false
|
||||||
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
credentials_path: /etc/crowdsec/local_api_credentials.yaml
|
||||||
server:
|
server:
|
||||||
log_level: info
|
log_level: info
|
||||||
|
|
|
@ -14,7 +14,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
InsecureSkipVerify = true
|
InsecureSkipVerify = false
|
||||||
)
|
)
|
||||||
|
|
||||||
type ApiClient struct {
|
type ApiClient struct {
|
||||||
|
|
|
@ -61,6 +61,10 @@ func NewServer(config *csconfig.LocalApiServerCfg) (*APIServer, error) {
|
||||||
}
|
}
|
||||||
log.Debugf("starting router, logging to %s", logFile)
|
log.Debugf("starting router, logging to %s", logFile)
|
||||||
router := gin.New()
|
router := gin.New()
|
||||||
|
/*related to https://github.com/gin-gonic/gin/pull/2474
|
||||||
|
Gin team doesn't seem to be willing to have a opt-in/opt-out on the trusted proxies.
|
||||||
|
For now, let's not trust that. */
|
||||||
|
router.ForwardedByClientIP = false
|
||||||
|
|
||||||
/*The logger that will be used by handlers*/
|
/*The logger that will be used by handlers*/
|
||||||
clog := log.New()
|
clog := log.New()
|
||||||
|
|
|
@ -125,7 +125,7 @@ func (c *GlobalConfig) LoadConfiguration() error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if c.API.Client.InsecureSkipVerify == nil {
|
if c.API.Client.InsecureSkipVerify == nil {
|
||||||
apiclient.InsecureSkipVerify = true
|
apiclient.InsecureSkipVerify = false
|
||||||
} else {
|
} else {
|
||||||
apiclient.InsecureSkipVerify = *c.API.Client.InsecureSkipVerify
|
apiclient.InsecureSkipVerify = *c.API.Client.InsecureSkipVerify
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,6 +3,7 @@ package cwhub
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
//"errors"
|
//"errors"
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
|
@ -127,7 +128,6 @@ func DownloadItem(cscli *csconfig.CscliCfg, target Item, overwrite bool) (Item,
|
||||||
return target, nil
|
return target, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
req, err := http.NewRequest("GET", fmt.Sprintf(RawFileURLTemplate, HubBranch, target.RemotePath), nil)
|
req, err := http.NewRequest("GET", fmt.Sprintf(RawFileURLTemplate, HubBranch, target.RemotePath), nil)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return target, errors.Wrap(err, fmt.Sprintf("while downloading %s", req.URL.String()))
|
return target, errors.Wrap(err, fmt.Sprintf("while downloading %s", req.URL.String()))
|
||||||
|
@ -159,6 +159,14 @@ func DownloadItem(cscli *csconfig.CscliCfg, target Item, overwrite bool) (Item,
|
||||||
tmpdirs := strings.Split(tdir+"/"+target.RemotePath, "/")
|
tmpdirs := strings.Split(tdir+"/"+target.RemotePath, "/")
|
||||||
parent_dir := strings.Join(tmpdirs[:len(tmpdirs)-1], "/")
|
parent_dir := strings.Join(tmpdirs[:len(tmpdirs)-1], "/")
|
||||||
|
|
||||||
|
/*ensure that target file is within target dir*/
|
||||||
|
finalPath, err := filepath.Abs(tdir + "/" + target.RemotePath)
|
||||||
|
if err != nil {
|
||||||
|
return target, errors.Wrapf(err, "Abs error on %s", tdir+"/"+target.RemotePath)
|
||||||
|
}
|
||||||
|
if !strings.HasPrefix(finalPath, tdir) {
|
||||||
|
return target, fmt.Errorf("path %s escapes %s, abort", target.RemotePath, tdir)
|
||||||
|
}
|
||||||
/*check dir*/
|
/*check dir*/
|
||||||
if _, err = os.Stat(parent_dir); os.IsNotExist(err) {
|
if _, err = os.Stat(parent_dir); os.IsNotExist(err) {
|
||||||
log.Debugf("%s doesn't exist, create", parent_dir)
|
log.Debugf("%s doesn't exist, create", parent_dir)
|
||||||
|
@ -167,7 +175,7 @@ func DownloadItem(cscli *csconfig.CscliCfg, target Item, overwrite bool) (Item,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
/*check actual file*/
|
/*check actual file*/
|
||||||
if _, err = os.Stat(tdir + "/" + target.RemotePath); !os.IsNotExist(err) {
|
if _, err = os.Stat(finalPath); !os.IsNotExist(err) {
|
||||||
log.Warningf("%s : overwrite", target.Name)
|
log.Warningf("%s : overwrite", target.Name)
|
||||||
log.Debugf("target: %s/%s", tdir, target.RemotePath)
|
log.Debugf("target: %s/%s", tdir, target.RemotePath)
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -3,6 +3,7 @@ package database
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"os"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
"github.com/crowdsecurity/crowdsec/pkg/csconfig"
|
||||||
|
@ -30,6 +31,21 @@ func NewClient(config *csconfig.DatabaseCfg) (*Client, error) {
|
||||||
}
|
}
|
||||||
switch config.Type {
|
switch config.Type {
|
||||||
case "sqlite":
|
case "sqlite":
|
||||||
|
|
||||||
|
/*if it's the first startup, we want to touch and chmod file*/
|
||||||
|
if _, err := os.Stat(config.DbPath); os.IsNotExist(err) {
|
||||||
|
f, err := os.OpenFile(config.DbPath, os.O_CREATE|os.O_RDWR, 0600)
|
||||||
|
if err != nil {
|
||||||
|
return &Client{}, errors.Wrapf(err, "failed to create SQLite database file %q", config.DbPath)
|
||||||
|
}
|
||||||
|
if err := f.Close(); err != nil {
|
||||||
|
return &Client{}, errors.Wrapf(err, "failed to create SQLite database file %q", config.DbPath)
|
||||||
|
}
|
||||||
|
} else { /*ensure file perms*/
|
||||||
|
if err := os.Chmod(config.DbPath, 0600); err != nil {
|
||||||
|
return &Client{}, fmt.Errorf("unable to set perms on %s: %v", config.DbPath, err)
|
||||||
|
}
|
||||||
|
}
|
||||||
client, err = ent.Open("sqlite3", fmt.Sprintf("file:%s?_busy_timeout=100000&_fk=1", config.DbPath))
|
client, err = ent.Open("sqlite3", fmt.Sprintf("file:%s?_busy_timeout=100000&_fk=1", config.DbPath))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return &Client{}, fmt.Errorf("failed opening connection to sqlite: %v", err)
|
return &Client{}, fmt.Errorf("failed opening connection to sqlite: %v", err)
|
||||||
|
|
Loading…
Reference in a new issue