2014-01-09 06:42:05 +00:00
|
|
|
package config
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
|
|
|
"io/ioutil"
|
2020-04-24 04:16:44 +00:00
|
|
|
|
|
|
|
log "github.com/gophish/gophish/logger"
|
2014-01-09 06:42:05 +00:00
|
|
|
)
|
|
|
|
|
2016-01-17 16:45:13 +00:00
|
|
|
// AdminServer represents the Admin server configuration details
|
|
|
|
type AdminServer struct {
|
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 14:36:18 +00:00
|
|
|
ListenURL string `json:"listen_url"`
|
|
|
|
UseTLS bool `json:"use_tls"`
|
|
|
|
CertPath string `json:"cert_path"`
|
|
|
|
KeyPath string `json:"key_path"`
|
|
|
|
CSRFKey string `json:"csrf_key"`
|
|
|
|
AllowedInternalHosts []string `json:"allowed_internal_hosts"`
|
2022-09-06 14:20:19 +00:00
|
|
|
TrustedOrigins []string `json:"trusted_origins"`
|
2016-01-17 16:45:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// PhishServer represents the Phish server configuration details
|
|
|
|
type PhishServer struct {
|
|
|
|
ListenURL string `json:"listen_url"`
|
|
|
|
UseTLS bool `json:"use_tls"`
|
|
|
|
CertPath string `json:"cert_path"`
|
|
|
|
KeyPath string `json:"key_path"`
|
|
|
|
}
|
|
|
|
|
2022-09-29 11:25:35 +00:00
|
|
|
// Attachments represents the handling of attachments in emails
|
|
|
|
type Attachments struct {
|
|
|
|
PlainTextFileList []string `json:"plain_text_file_list"`
|
|
|
|
}
|
|
|
|
|
2014-03-25 03:31:33 +00:00
|
|
|
// Config represents the configuration information.
|
|
|
|
type Config struct {
|
2020-01-17 04:21:58 +00:00
|
|
|
AdminConf AdminServer `json:"admin_server"`
|
|
|
|
PhishConf PhishServer `json:"phish_server"`
|
|
|
|
DBName string `json:"db_name"`
|
|
|
|
DBPath string `json:"db_path"`
|
|
|
|
DBSSLCaPath string `json:"db_sslca_path"`
|
|
|
|
MigrationsPath string `json:"migrations_prefix"`
|
|
|
|
TestFlag bool `json:"test_flag"`
|
|
|
|
ContactAddress string `json:"contact_address"`
|
|
|
|
Logging *log.Config `json:"logging"`
|
2022-09-29 11:25:35 +00:00
|
|
|
Attachments Attachments `json:"attachments"`
|
2014-03-25 03:31:33 +00:00
|
|
|
}
|
|
|
|
|
2016-08-06 23:58:34 +00:00
|
|
|
// Version contains the current gophish version
|
2017-09-06 02:54:32 +00:00
|
|
|
var Version = ""
|
2016-08-06 23:58:34 +00:00
|
|
|
|
2018-06-19 02:37:59 +00:00
|
|
|
// ServerName is the server type that is returned in the transparency response.
|
|
|
|
const ServerName = "gophish"
|
|
|
|
|
2017-09-06 02:54:32 +00:00
|
|
|
// LoadConfig loads the configuration from the specified filepath
|
2018-12-15 21:42:32 +00:00
|
|
|
func LoadConfig(filepath string) (*Config, error) {
|
2014-01-09 06:42:05 +00:00
|
|
|
// Get the config file
|
2017-09-06 02:54:32 +00:00
|
|
|
configFile, err := ioutil.ReadFile(filepath)
|
2014-01-09 06:42:05 +00:00
|
|
|
if err != nil {
|
2018-12-15 21:42:32 +00:00
|
|
|
return nil, err
|
2018-10-06 20:47:31 +00:00
|
|
|
}
|
2018-12-15 21:42:32 +00:00
|
|
|
config := &Config{}
|
|
|
|
err = json.Unmarshal(configFile, config)
|
2018-10-06 20:47:31 +00:00
|
|
|
if err != nil {
|
2018-12-15 21:42:32 +00:00
|
|
|
return nil, err
|
2014-01-09 06:42:05 +00:00
|
|
|
}
|
2020-07-18 03:14:04 +00:00
|
|
|
if config.Logging == nil {
|
|
|
|
config.Logging = &log.Config{}
|
|
|
|
}
|
2016-11-19 16:37:22 +00:00
|
|
|
// Choosing the migrations directory based on the database used.
|
2018-12-15 21:42:32 +00:00
|
|
|
config.MigrationsPath = config.MigrationsPath + config.DBName
|
2017-12-09 21:42:07 +00:00
|
|
|
// Explicitly set the TestFlag to false to prevent config.json overrides
|
2018-12-15 21:42:32 +00:00
|
|
|
config.TestFlag = false
|
|
|
|
return config, nil
|
2014-01-09 06:42:05 +00:00
|
|
|
}
|