gophish/controllers/phish.go

package controllers

import (
	"bytes"
	"errors"
	"fmt"
	"html/template"
	"net"
	"net/http"
	"net/mail"
	"net/url"
	"strings"

	ctx "github.com/gophish/gophish/context"
	log "github.com/gophish/gophish/logger"
	"github.com/gophish/gophish/models"
	"github.com/gorilla/mux"
)

// ErrInvalidRequest is thrown when a request with an invalid structure is
// received
var ErrInvalidRequest = errors.New("Invalid request")

// ErrCampaignComplete is thrown when an event is received for a campaign that
// has already been marked as complete.
var ErrCampaignComplete = errors.New("Event received on completed campaign")

// CreatePhishingRouter creates the router that handles phishing connections.
func CreatePhishingRouter() http.Handler {
	router := mux.NewRouter()
	fileServer := http.FileServer(UnindexedFileSystem{http.Dir("./static/endpoint/")})
	router.PathPrefix("/static/").Handler(http.StripPrefix("/static/", fileServer))
	router.HandleFunc("/track", PhishTracker)
	router.HandleFunc("/robots.txt", RobotsHandler)
	router.HandleFunc("/{path:.*}/track", PhishTracker)
	router.HandleFunc("/{path:.*}/report", PhishReporter)
	router.HandleFunc("/report", PhishReporter)
	router.HandleFunc("/{path:.*}", PhishHandler)
	return router
}

// PhishTracker tracks emails as they are opened, updating the status for the given Result
func PhishTracker(w http.ResponseWriter, r *http.Request) {
	err, r := setupContext(r)
	if err != nil {
		// Log the error if it wasn't something we can safely ignore
		if err != ErrInvalidRequest && err != ErrCampaignComplete {
			log.Error(err)
		}
		http.NotFound(w, r)
		return
	}
	rs := ctx.Get(r, "result").(models.Result)
	d := ctx.Get(r, "details").(models.EventDetails)
	err = rs.HandleEmailOpened(d)
	if err != nil {
		log.Error(err)
	}
	http.ServeFile(w, r, "static/images/pixel.png")
}

// PhishReporter tracks emails as they are reported, updating the status for the given Result
func PhishReporter(w http.ResponseWriter, r *http.Request) {
	err, r := setupContext(r)
	if err != nil {
		// Log the error if it wasn't something we can safely ignore
		if err != ErrInvalidRequest && err != ErrCampaignComplete {
			log.Error(err)
		}
		http.NotFound(w, r)
		return
	}
	rs := ctx.Get(r, "result").(models.Result)
	d := ctx.Get(r, "details").(models.EventDetails)

	err = rs.HandleEmailReport(d)
	if err != nil {
		log.Error(err)
	}
	w.WriteHeader(http.StatusNoContent)
}

// PhishHandler handles incoming client connections and registers the associated actions performed
// (such as clicked link, etc.)
func PhishHandler(w http.ResponseWriter, r *http.Request) {
	err, r := setupContext(r)
	if err != nil {
		// Log the error if it wasn't something we can safely ignore
		if err != ErrInvalidRequest && err != ErrCampaignComplete {
			log.Error(err)
		}
		http.NotFound(w, r)
		return
	}
	rs := ctx.Get(r, "result").(models.Result)
	c := ctx.Get(r, "campaign").(models.Campaign)
	d := ctx.Get(r, "details").(models.EventDetails)
	p, err := models.GetPage(c.PageId, c.UserId)
	if err != nil {
		log.Error(err)
		http.NotFound(w, r)
		return
	}
	switch {
	case r.Method == "GET":
		err = rs.HandleClickedLink(d)
		if err != nil {
			log.Error(err)
		}
	case r.Method == "POST":
		err = rs.HandleFormSubmit(d)
		if err != nil {
			log.Error(err)
		}
		// Redirect to the desired page
		if p.RedirectURL != "" {
			http.Redirect(w, r, p.RedirectURL, 302)
			return
		}
	}
	var htmlBuff bytes.Buffer
	tmpl, err := template.New("html_template").Parse(p.HTML)
	if err != nil {
		log.Error(err)
		http.NotFound(w, r)
		return
	}
	f, err := mail.ParseAddress(c.SMTP.FromAddress)
	if err != nil {
		log.Error(err)
	}
	fn := f.Name
	if fn == "" {
		fn = f.Address
	}

	phishURL, _ := url.Parse(c.URL)
	q := phishURL.Query()
	q.Set(models.RecipientParameter, rs.RId)
	phishURL.RawQuery = q.Encode()

	rsf := struct {
		models.Result
		URL  string
		From string
	}{
		rs,
		phishURL.String(),
		fn,
	}
	err = tmpl.Execute(&htmlBuff, rsf)
	if err != nil {
		log.Error(err)
		http.NotFound(w, r)
		return
	}
	w.Write(htmlBuff.Bytes())
}

// RobotsHandler prevents search engines, etc. from indexing phishing materials
func RobotsHandler(w http.ResponseWriter, r *http.Request) {
	fmt.Fprintln(w, "User-agent: *\nDisallow: /")
}

// setupContext handles some of the administrative work around receiving a new request, such as checking the result ID, the campaign, etc.
func setupContext(r *http.Request) (error, *http.Request) {
	err := r.ParseForm()
	if err != nil {
		log.Error(err)
		return err, r
	}
	id := r.Form.Get(models.RecipientParameter)
	if id == "" {
		return ErrInvalidRequest, r
	}
	rs, err := models.GetResult(id)
	if err != nil {
		return err, r
	}
	c, err := models.GetCampaign(rs.CampaignId, rs.UserId)
	if err != nil {
		log.Error(err)
		return err, r
	}
	// Don't process events for completed campaigns
	if c.Status == models.CAMPAIGN_COMPLETE {
		return ErrCampaignComplete, r
	}
	ip, _, err := net.SplitHostPort(r.RemoteAddr)
	if err != nil {
		log.Error(err)
		return err, r
	}
	// Respect X-Forwarded headers
	if fips := r.Header.Get("X-Forwarded-For"); fips != "" {
		ip = strings.Split(fips, ", ")[0]
	}
	// Handle post processing such as GeoIP
	err = rs.UpdateGeo(ip)
	if err != nil {
		log.Error(err)
	}
	d := models.EventDetails{
		Payload: r.Form,
		Browser: make(map[string]string),
	}
	d.Browser["address"] = ip
	d.Browser["user-agent"] = r.Header.Get("User-Agent")

	r = ctx.Set(r, "result", rs)
	r = ctx.Set(r, "campaign", c)
	r = ctx.Set(r, "details", d)
	return nil, r
}
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`package controllers`

			`import (`
			`"bytes"`
			`"errors"`
			`"fmt"`
			`"html/template"`
			`"net"`
			`"net/http"`
			`"net/mail"`
			`"net/url"`
			`"strings"`

			`ctx "github.com/gophish/gophish/context"`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log "github.com/gophish/gophish/logger"`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`"github.com/gophish/gophish/models"`
			`"github.com/gorilla/mux"`
			`)`

			`// ErrInvalidRequest is thrown when a request with an invalid structure is`
			`// received`
			`var ErrInvalidRequest = errors.New("Invalid request")`

			`// ErrCampaignComplete is thrown when an event is received for a campaign that`
			`// has already been marked as complete.`
			`var ErrCampaignComplete = errors.New("Event received on completed campaign")`

			`// CreatePhishingRouter creates the router that handles phishing connections.`
			`func CreatePhishingRouter() http.Handler {`
			`router := mux.NewRouter()`
Removed directory listing of static assets. Fixes #1077. Fixes #815 2018-05-24 04:03:48 +00:00			`fileServer := http.FileServer(UnindexedFileSystem{http.Dir("./static/endpoint/")})`
			`router.PathPrefix("/static/").Handler(http.StripPrefix("/static/", fileServer))`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`router.HandleFunc("/track", PhishTracker)`
			`router.HandleFunc("/robots.txt", RobotsHandler)`
			`router.HandleFunc("/{path:.*}/track", PhishTracker)`
Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00			`router.HandleFunc("/{path:.*}/report", PhishReporter)`
			`router.HandleFunc("/report", PhishReporter)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`router.HandleFunc("/{path:.*}", PhishHandler)`
			`return router`
			`}`

			`// PhishTracker tracks emails as they are opened, updating the status for the given Result`
			`func PhishTracker(w http.ResponseWriter, r *http.Request) {`
			`err, r := setupContext(r)`
			`if err != nil {`
			`// Log the error if it wasn't something we can safely ignore`
			`if err != ErrInvalidRequest && err != ErrCampaignComplete {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`http.NotFound(w, r)`
			`return`
			`}`
			`rs := ctx.Get(r, "result").(models.Result)`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`d := ctx.Get(r, "details").(models.EventDetails)`
			`err = rs.HandleEmailOpened(d)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`http.ServeFile(w, r, "static/images/pixel.png")`
			`}`

Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00			`// PhishReporter tracks emails as they are reported, updating the status for the given Result`
			`func PhishReporter(w http.ResponseWriter, r *http.Request) {`
			`err, r := setupContext(r)`
			`if err != nil {`
			`// Log the error if it wasn't something we can safely ignore`
			`if err != ErrInvalidRequest && err != ErrCampaignComplete {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00			`}`
			`http.NotFound(w, r)`
			`return`
			`}`
			`rs := ctx.Get(r, "result").(models.Result)`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`d := ctx.Get(r, "details").(models.EventDetails)`
Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`err = rs.HandleEmailReport(d)`
Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Adding "Report Email" Support (#1014) Adds the capability to report phishing campaigns using an email client extension. Note: Gophish does not currently provide an email client extension out of the box. This is simply a mechanism to let existing email client add-ons send report status information to Gophish, and have that information reflected in the dashboard. 2018-03-19 03:03:00 +00:00			`}`
			`w.WriteHeader(http.StatusNoContent)`
			`}`

Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`// PhishHandler handles incoming client connections and registers the associated actions performed`
			`// (such as clicked link, etc.)`
			`func PhishHandler(w http.ResponseWriter, r *http.Request) {`
			`err, r := setupContext(r)`
			`if err != nil {`
			`// Log the error if it wasn't something we can safely ignore`
			`if err != ErrInvalidRequest && err != ErrCampaignComplete {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`http.NotFound(w, r)`
			`return`
			`}`
			`rs := ctx.Get(r, "result").(models.Result)`
			`c := ctx.Get(r, "campaign").(models.Campaign)`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`d := ctx.Get(r, "details").(models.EventDetails)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`p, err := models.GetPage(c.PageId, c.UserId)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Better handling of template errors when rendering the phishing page. Fixes #1008. 2018-03-23 02:29:07 +00:00			`http.NotFound(w, r)`
			`return`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`switch {`
			`case r.Method == "GET":`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`err = rs.HandleClickedLink(d)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`case r.Method == "POST":`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`err = rs.HandleFormSubmit(d)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`// Redirect to the desired page`
			`if p.RedirectURL != "" {`
			`http.Redirect(w, r, p.RedirectURL, 302)`
			`return`
			`}`
			`}`
			`var htmlBuff bytes.Buffer`
			`tmpl, err := template.New("html_template").Parse(p.HTML)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`http.NotFound(w, r)`
Better handling of template errors when rendering the phishing page. Fixes #1008. 2018-03-23 02:29:07 +00:00			`return`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`f, err := mail.ParseAddress(c.SMTP.FromAddress)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`fn := f.Name`
			`if fn == "" {`
			`fn = f.Address`
			`}`
Moved rid parameter to a separate constant. Fixes #911 2018-02-23 05:02:27 +00:00
			`phishURL, _ := url.Parse(c.URL)`
			`q := phishURL.Query()`
			`q.Set(models.RecipientParameter, rs.RId)`
			`phishURL.RawQuery = q.Encode()`

Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`rsf := struct {`
			`models.Result`
			`URL string`
			`From string`
			`}{`
			`rs,`
Moved rid parameter to a separate constant. Fixes #911 2018-02-23 05:02:27 +00:00			`phishURL.String(),`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`fn,`
			`}`
			`err = tmpl.Execute(&htmlBuff, rsf)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`http.NotFound(w, r)`
Better handling of template errors when rendering the phishing page. Fixes #1008. 2018-03-23 02:29:07 +00:00			`return`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
			`w.Write(htmlBuff.Bytes())`
			`}`

			`// RobotsHandler prevents search engines, etc. from indexing phishing materials`
			`func RobotsHandler(w http.ResponseWriter, r *http.Request) {`
			`fmt.Fprintln(w, "User-agent: *\nDisallow: /")`
			`}`

			`// setupContext handles some of the administrative work around receiving a new request, such as checking the result ID, the campaign, etc.`
			`func setupContext(r http.Request) (error, http.Request) {`
			`err := r.ParseForm()`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`return err, r`
			`}`
Moved rid parameter to a separate constant. Fixes #911 2018-02-23 05:02:27 +00:00			`id := r.Form.Get(models.RecipientParameter)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`if id == "" {`
			`return ErrInvalidRequest, r`
			`}`
			`rs, err := models.GetResult(id)`
			`if err != nil {`
			`return err, r`
			`}`
			`c, err := models.GetCampaign(rs.CampaignId, rs.UserId)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`return err, r`
			`}`
			`// Don't process events for completed campaigns`
			`if c.Status == models.CAMPAIGN_COMPLETE {`
			`return ErrCampaignComplete, r`
			`}`
			`ip, _, err := net.SplitHostPort(r.RemoteAddr)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`return err, r`
			`}`
			`// Respect X-Forwarded headers`
			`if fips := r.Header.Get("X-Forwarded-For"); fips != "" {`
			`ip = strings.Split(fips, ", ")[0]`
			`}`
			`// Handle post processing such as GeoIP`
			`err = rs.UpdateGeo(ip)`
			`if err != nil {`
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-04 00:07:41 +00:00			`log.Error(err)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`}`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`d := models.EventDetails{`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`Payload: r.Form,`
			`Browser: make(map[string]string),`
			`}`
			`d.Browser["address"] = ip`
			`d.Browser["user-agent"] = r.Header.Get("User-Agent")`

			`r = ctx.Set(r, "result", rs)`
			`r = ctx.Set(r, "campaign", c)`
Refactored result updating to be in result.go. Added the modified_date field to results so it's easy to keep track of the last results that were modified without having to parse every event. Updated the tests to reflect the changes. 2018-05-27 02:26:34 +00:00			`r = ctx.Set(r, "details", d)`
Moved phishing handlers into separate file and added a ton of tests. 2017-06-09 04:41:38 +00:00			`return nil, r`
			`}`