From 2131c17c33a0af757c80d94379baaca147de9931 Mon Sep 17 00:00:00 2001 From: Jordan Wright Date: Mon, 26 Mar 2018 21:04:22 -0500 Subject: [PATCH] Fixing SSRF by requiring an API key for all import endpoints. Fixes #1026 --- controllers/api_test.go | 7 ++ controllers/route.go | 6 +- static/js/dist/app/gophish.min.js | 2 +- static/js/dist/app/templates.min.js | 2 +- static/js/dist/app/users.min.js | 2 +- static/js/src/app/gophish.js | 4 +- static/js/src/app/templates.js | 15 +-- static/js/src/app/users.js | 59 +++++------ templates/users.html | 151 +++++++++++++++------------- 9 files changed, 134 insertions(+), 114 deletions(-) diff --git a/controllers/api_test.go b/controllers/api_test.go index 77a4b57e..31d5e627 100644 --- a/controllers/api_test.go +++ b/controllers/api_test.go @@ -102,6 +102,13 @@ func (s *ControllersSuite) SetupTest() { c.UpdateStatus(models.CAMPAIGN_EMAILS_SENT) } +func (s *ControllersSuite) TestRequireAPIKey() { + resp, err := http.Post(fmt.Sprintf("%s/api/import/site", as.URL), "application/json", nil) + s.Nil(err) + defer resp.Body.Close() + s.Equal(resp.StatusCode, http.StatusBadRequest) +} + func (s *ControllersSuite) TestSiteImportBaseHref() { h := "" ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { diff --git a/controllers/route.go b/controllers/route.go index b7a3bd98..b3f59d4c 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -59,9 +59,9 @@ func CreateAdminRouter() http.Handler { api.HandleFunc("/smtp/", Use(API_SMTP, mid.RequireAPIKey)) api.HandleFunc("/smtp/{id:[0-9]+}", Use(API_SMTP_Id, mid.RequireAPIKey)) api.HandleFunc("/util/send_test_email", Use(API_Send_Test_Email, mid.RequireAPIKey)) - api.HandleFunc("/import/group", API_Import_Group) - api.HandleFunc("/import/email", API_Import_Email) - api.HandleFunc("/import/site", API_Import_Site) + api.HandleFunc("/import/group", Use(API_Import_Group, mid.RequireAPIKey)) + api.HandleFunc("/import/email", Use(API_Import_Email, mid.RequireAPIKey)) + api.HandleFunc("/import/site", Use(API_Import_Site, mid.RequireAPIKey)) // Setup static file serving router.PathPrefix("/").Handler(http.FileServer(http.Dir("./static/"))) diff --git a/static/js/dist/app/gophish.min.js b/static/js/dist/app/gophish.min.js index 65dcd500..b1346d6c 100644 --- a/static/js/dist/app/gophish.min.js +++ b/static/js/dist/app/gophish.min.js @@ -1 +1 @@ -function errorFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function successFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function modalError(e){$("#modal\\.flashes").empty().append('
'+e+"
")}function query(e,t,n,r){return $.ajax({url:"/api"+e+"?api_key="+user.api_key,async:r,method:t,data:JSON.stringify(n),dataType:"json",contentType:"application/json"})}function escapeHtml(e){return $("
").text(e).html()}function unescapeHtml(e){return $("
").html(e).text()}var capitalize=function(e){return e.charAt(0).toUpperCase()+e.slice(1)},api={campaigns:{get:function(){return query("/campaigns/","GET",{},!1)},post:function(e){return query("/campaigns/","POST",e,!1)},summary:function(){return query("/campaigns/summary","GET",{},!1)}},campaignId:{get:function(e){return query("/campaigns/"+e,"GET",{},!0)},delete:function(e){return query("/campaigns/"+e,"DELETE",{},!1)},results:function(e){return query("/campaigns/"+e+"/results","GET",{},!0)},complete:function(e){return query("/campaigns/"+e+"/complete","GET",{},!0)},summary:function(e){return query("/campaigns/"+e+"/summary","GET",{},!0)}},groups:{get:function(){return query("/groups/","GET",{},!1)},post:function(e){return query("/groups/","POST",e,!1)},summary:function(){return query("/groups/summary","GET",{},!0)}},groupId:{get:function(e){return query("/groups/"+e,"GET",{},!1)},put:function(e){return query("/groups/"+e.id,"PUT",e,!1)},delete:function(e){return query("/groups/"+e,"DELETE",{},!1)}},templates:{get:function(){return query("/templates/","GET",{},!1)},post:function(e){return query("/templates/","POST",e,!1)}},templateId:{get:function(e){return query("/templates/"+e,"GET",{},!1)},put:function(e){return query("/templates/"+e.id,"PUT",e,!1)},delete:function(e){return query("/templates/"+e,"DELETE",{},!1)}},pages:{get:function(){return query("/pages/","GET",{},!1)},post:function(e){return query("/pages/","POST",e,!1)}},pageId:{get:function(e){return query("/pages/"+e,"GET",{},!1)},put:function(e){return query("/pages/"+e.id,"PUT",e,!1)},delete:function(e){return query("/pages/"+e,"DELETE",{},!1)}},SMTP:{get:function(){return query("/smtp/","GET",{},!1)},post:function(e){return query("/smtp/","POST",e,!1)}},SMTPId:{get:function(e){return query("/smtp/"+e,"GET",{},!1)},put:function(e){return query("/smtp/"+e.id,"PUT",e,!1)},delete:function(e){return query("/smtp/"+e,"DELETE",{},!1)}},import_email:function(e){return query("/import/email","POST",{},!1)},clone_site:function(e){return query("/import/site","POST",e,!1)},send_test_email:function(e){return query("/util/send_test_email","POST",e,!0)}};$(document).ready(function(){$.fn.dataTable.moment("MMMM Do YYYY, h:mm:ss a"),$('[data-toggle="tooltip"]').tooltip()}); \ No newline at end of file +function errorFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function successFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function modalError(e){$("#modal\\.flashes").empty().append('
'+e+"
")}function query(e,t,n,r){return $.ajax({url:"/api"+e+"?api_key="+user.api_key,async:r,method:t,data:JSON.stringify(n),dataType:"json",contentType:"application/json"})}function escapeHtml(e){return $("
").text(e).html()}function unescapeHtml(e){return $("
").html(e).text()}var capitalize=function(e){return e.charAt(0).toUpperCase()+e.slice(1)},api={campaigns:{get:function(){return query("/campaigns/","GET",{},!1)},post:function(e){return query("/campaigns/","POST",e,!1)},summary:function(){return query("/campaigns/summary","GET",{},!1)}},campaignId:{get:function(e){return query("/campaigns/"+e,"GET",{},!0)},delete:function(e){return query("/campaigns/"+e,"DELETE",{},!1)},results:function(e){return query("/campaigns/"+e+"/results","GET",{},!0)},complete:function(e){return query("/campaigns/"+e+"/complete","GET",{},!0)},summary:function(e){return query("/campaigns/"+e+"/summary","GET",{},!0)}},groups:{get:function(){return query("/groups/","GET",{},!1)},post:function(e){return query("/groups/","POST",e,!1)},summary:function(){return query("/groups/summary","GET",{},!0)}},groupId:{get:function(e){return query("/groups/"+e,"GET",{},!1)},put:function(e){return query("/groups/"+e.id,"PUT",e,!1)},delete:function(e){return query("/groups/"+e,"DELETE",{},!1)}},templates:{get:function(){return query("/templates/","GET",{},!1)},post:function(e){return query("/templates/","POST",e,!1)}},templateId:{get:function(e){return query("/templates/"+e,"GET",{},!1)},put:function(e){return query("/templates/"+e.id,"PUT",e,!1)},delete:function(e){return query("/templates/"+e,"DELETE",{},!1)}},pages:{get:function(){return query("/pages/","GET",{},!1)},post:function(e){return query("/pages/","POST",e,!1)}},pageId:{get:function(e){return query("/pages/"+e,"GET",{},!1)},put:function(e){return query("/pages/"+e.id,"PUT",e,!1)},delete:function(e){return query("/pages/"+e,"DELETE",{},!1)}},SMTP:{get:function(){return query("/smtp/","GET",{},!1)},post:function(e){return query("/smtp/","POST",e,!1)}},SMTPId:{get:function(e){return query("/smtp/"+e,"GET",{},!1)},put:function(e){return query("/smtp/"+e.id,"PUT",e,!1)},delete:function(e){return query("/smtp/"+e,"DELETE",{},!1)}},import_email:function(e){return query("/import/email","POST",e,!1)},clone_site:function(e){return query("/import/site","POST",e,!1)},send_test_email:function(e){return query("/util/send_test_email","POST",e,!0)}};$(document).ready(function(){$.fn.dataTable.moment("MMMM Do YYYY, h:mm:ss a"),$('[data-toggle="tooltip"]').tooltip()}); \ No newline at end of file diff --git a/static/js/dist/app/templates.min.js b/static/js/dist/app/templates.min.js index 1d38c98a..fbd104da 100644 --- a/static/js/dist/app/templates.min.js +++ b/static/js/dist/app/templates.min.js @@ -1 +1 @@ -function save(a){var t={attachments:[]};t.name=$("#name").val(),t.subject=$("#subject").val(),t.html=CKEDITOR.instances.html_editor.getData(),t.html=t.html.replace(/https?:\/\/{{\.URL}}/gi,"{{.URL}}"),$("#use_tracker_checkbox").prop("checked")?t.html.indexOf("{{.Tracker}}")==-1&&t.html.indexOf("{{.TrackingUrl}}")==-1&&(t.html=t.html.replace("","{{.Tracker}}")):t.html=t.html.replace("{{.Tracker}}",""),t.text=$("#text_editor").val(),$.each($("#attachmentsTable").DataTable().rows().data(),function(a,e){t.attachments.push({name:unescapeHtml(e[1]),content:e[3],type:e[4]})}),a!=-1?(t.id=templates[a].id,api.templateId.put(t).success(function(a){successFlash("Template edited successfully!"),load(),dismiss()}).error(function(a){modalError(a.responseJSON.message)})):api.templates.post(t).success(function(a){successFlash("Template added successfully!"),load(),dismiss()}).error(function(a){modalError(a.responseJSON.message)})}function dismiss(){$("#modal\\.flashes").empty(),$("#attachmentsTable").dataTable().DataTable().clear().draw(),$("#name").val(""),$("#subject").val(""),$("#text_editor").val(""),$("#html_editor").val(""),$("#modal").modal("hide")}function deleteTemplate(a){confirm("Delete "+templates[a].name+"?")&&api.templateId.delete(templates[a].id).success(function(a){successFlash(a.message),load()})}function attach(a){attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]}),$.each(a,function(a,t){var e=new FileReader;e.onload=function(a){var o=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',e.result.split(",")[1],t.type||"application/octet-stream"]).draw()},e.onerror=function(a){console.log(a)},e.readAsDataURL(t)})}function edit(a){$("#modalSubmit").unbind("click").click(function(){save(a)}),$("#attachmentUpload").unbind("click").click(function(){this.value=null}),$("#html_editor").ckeditor(),$("#attachmentsTable").show(),attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]});var t={attachments:[]};a!=-1&&(t=templates[a],$("#name").val(t.name),$("#subject").val(t.subject),$("#html_editor").val(t.html),$("#text_editor").val(t.text),$.each(t.attachments,function(a,t){var e=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',t.content,t.type||"application/octet-stream"]).draw()}),t.html.indexOf("{{.Tracker}}")!=-1?$("#use_tracker_checkbox").prop("checked",!0):$("#use_tracker_checkbox").prop("checked",!1)),$("#attachmentsTable").unbind("click").on("click","span>i.fa-trash-o",function(){attachmentsTable.row($(this).parents("tr")).remove().draw()})}function copy(a){$("#modalSubmit").unbind("click").click(function(){save(-1)}),$("#attachmentUpload").unbind("click").click(function(){this.value=null}),$("#html_editor").ckeditor(),$("#attachmentsTable").show(),attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]});var t={attachments:[]};t=templates[a],$("#name").val("Copy of "+t.name),$("#subject").val(t.subject),$("#html_editor").val(t.html),$("#text_editor").val(t.text),$.each(t.attachments,function(a,t){var e=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',t.content,t.type||"application/octet-stream"]).draw()}),$("#attachmentsTable").unbind("click").on("click","span>i.fa-trash-o",function(){attachmentsTable.row($(this).parents("tr")).remove().draw()}),t.html.indexOf("{{.Tracker}}")!=-1?$("#use_tracker_checkbox").prop("checked",!0):$("#use_tracker_checkbox").prop("checked",!1)}function importEmail(){raw=$("#email_content").val(),convert_links=$("#convert_links_checkbox").prop("checked"),raw?$.ajax({method:"POST",url:"/api/import/email",data:JSON.stringify({content:raw,convert_links:convert_links}),dataType:"json",contentType:"application/json"}).success(function(a){$("#text_editor").val(a.text),$("#html_editor").val(a.html),$("#subject").val(a.subject),$("#importEmailModal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)}):modalError("No Content Specified!")}function load(){$("#templateTable").hide(),$("#emptyMessage").hide(),$("#loading").show(),api.templates.get().success(function(a){templates=a,$("#loading").hide(),templates.length>0?($("#templateTable").show(),templateTable=$("#templateTable").DataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]}),templateTable.clear(),$.each(templates,function(a,t){templateTable.row.add([escapeHtml(t.name),moment(t.modified_date).format("MMMM Do YYYY, h:mm:ss a"),"
\t\t
"]).draw()}),$('[data-toggle="tooltip"]').tooltip()):$("#emptyMessage").show()}).error(function(){$("#loading").hide(),errorFlash("Error fetching templates")})}var templates=[],icons={"application/vnd.ms-excel":"fa-file-excel-o","text/plain":"fa-file-text-o","image/gif":"fa-file-image-o","image/png":"fa-file-image-o","application/pdf":"fa-file-pdf-o","application/x-zip-compressed":"fa-file-archive-o","application/x-gzip":"fa-file-archive-o","application/vnd.openxmlformats-officedocument.presentationml.presentation":"fa-file-powerpoint-o","application/vnd.openxmlformats-officedocument.wordprocessingml.document":"fa-file-word-o","application/octet-stream":"fa-file-o","application/x-msdownload":"fa-file-o"};$(document).ready(function(){$(".modal").on("hidden.bs.modal",function(a){$(this).removeClass("fv-modal-stack"),$("body").data("fv_open_modals",$("body").data("fv_open_modals")-1)}),$(".modal").on("shown.bs.modal",function(a){"undefined"==typeof $("body").data("fv_open_modals")&&$("body").data("fv_open_modals",0),$(this).hasClass("fv-modal-stack")||($(this).addClass("fv-modal-stack"),$("body").data("fv_open_modals",$("body").data("fv_open_modals")+1),$(this).css("z-index",1040+10*$("body").data("fv_open_modals")),$(".modal-backdrop").not(".fv-modal-stack").css("z-index",1039+10*$("body").data("fv_open_modals")),$(".modal-backdrop").not("fv-modal-stack").addClass("fv-modal-stack"))}),$.fn.modal.Constructor.prototype.enforceFocus=function(){$(document).off("focusin.bs.modal").on("focusin.bs.modal",$.proxy(function(a){this.$element[0]===a.target||this.$element.has(a.target).length||$(a.target).closest(".cke_dialog, .cke").length||this.$element.trigger("focus")},this))},$(document).on("hidden.bs.modal",".modal",function(){$(".modal:visible").length&&$(document.body).addClass("modal-open")}),$("#modal").on("hidden.bs.modal",function(a){dismiss()}),$("#importEmailModal").on("hidden.bs.modal",function(a){$("#email_content").val("")}),load()}); \ No newline at end of file +function save(a){var t={attachments:[]};t.name=$("#name").val(),t.subject=$("#subject").val(),t.html=CKEDITOR.instances.html_editor.getData(),t.html=t.html.replace(/https?:\/\/{{\.URL}}/gi,"{{.URL}}"),$("#use_tracker_checkbox").prop("checked")?t.html.indexOf("{{.Tracker}}")==-1&&t.html.indexOf("{{.TrackingUrl}}")==-1&&(t.html=t.html.replace("","{{.Tracker}}")):t.html=t.html.replace("{{.Tracker}}",""),t.text=$("#text_editor").val(),$.each($("#attachmentsTable").DataTable().rows().data(),function(a,e){t.attachments.push({name:unescapeHtml(e[1]),content:e[3],type:e[4]})}),a!=-1?(t.id=templates[a].id,api.templateId.put(t).success(function(a){successFlash("Template edited successfully!"),load(),dismiss()}).error(function(a){modalError(a.responseJSON.message)})):api.templates.post(t).success(function(a){successFlash("Template added successfully!"),load(),dismiss()}).error(function(a){modalError(a.responseJSON.message)})}function dismiss(){$("#modal\\.flashes").empty(),$("#attachmentsTable").dataTable().DataTable().clear().draw(),$("#name").val(""),$("#subject").val(""),$("#text_editor").val(""),$("#html_editor").val(""),$("#modal").modal("hide")}function deleteTemplate(a){confirm("Delete "+templates[a].name+"?")&&api.templateId.delete(templates[a].id).success(function(a){successFlash(a.message),load()})}function attach(a){attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]}),$.each(a,function(a,t){var e=new FileReader;e.onload=function(a){var o=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',e.result.split(",")[1],t.type||"application/octet-stream"]).draw()},e.onerror=function(a){console.log(a)},e.readAsDataURL(t)})}function edit(a){$("#modalSubmit").unbind("click").click(function(){save(a)}),$("#attachmentUpload").unbind("click").click(function(){this.value=null}),$("#html_editor").ckeditor(),$("#attachmentsTable").show(),attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]});var t={attachments:[]};a!=-1&&(t=templates[a],$("#name").val(t.name),$("#subject").val(t.subject),$("#html_editor").val(t.html),$("#text_editor").val(t.text),$.each(t.attachments,function(a,t){var e=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',t.content,t.type||"application/octet-stream"]).draw()}),t.html.indexOf("{{.Tracker}}")!=-1?$("#use_tracker_checkbox").prop("checked",!0):$("#use_tracker_checkbox").prop("checked",!1)),$("#attachmentsTable").unbind("click").on("click","span>i.fa-trash-o",function(){attachmentsTable.row($(this).parents("tr")).remove().draw()})}function copy(a){$("#modalSubmit").unbind("click").click(function(){save(-1)}),$("#attachmentUpload").unbind("click").click(function(){this.value=null}),$("#html_editor").ckeditor(),$("#attachmentsTable").show(),attachmentsTable=$("#attachmentsTable").DataTable({destroy:!0,order:[[1,"asc"]],columnDefs:[{orderable:!1,targets:"no-sort"},{sClass:"datatable_hidden",targets:[3,4]}]});var t={attachments:[]};t=templates[a],$("#name").val("Copy of "+t.name),$("#subject").val(t.subject),$("#html_editor").val(t.html),$("#text_editor").val(t.text),$.each(t.attachments,function(a,t){var e=icons[t.type]||"fa-file-o";attachmentsTable.row.add(['',escapeHtml(t.name),'',t.content,t.type||"application/octet-stream"]).draw()}),$("#attachmentsTable").unbind("click").on("click","span>i.fa-trash-o",function(){attachmentsTable.row($(this).parents("tr")).remove().draw()}),t.html.indexOf("{{.Tracker}}")!=-1?$("#use_tracker_checkbox").prop("checked",!0):$("#use_tracker_checkbox").prop("checked",!1)}function importEmail(){raw=$("#email_content").val(),convert_links=$("#convert_links_checkbox").prop("checked"),raw?api.import_email({content:raw,convert_links:convert_links}).success(function(a){$("#text_editor").val(a.text),$("#html_editor").val(a.html),$("#subject").val(a.subject),$("#importEmailModal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)}):modalError("No Content Specified!")}function load(){$("#templateTable").hide(),$("#emptyMessage").hide(),$("#loading").show(),api.templates.get().success(function(a){templates=a,$("#loading").hide(),templates.length>0?($("#templateTable").show(),templateTable=$("#templateTable").DataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]}),templateTable.clear(),$.each(templates,function(a,t){templateTable.row.add([escapeHtml(t.name),moment(t.modified_date).format("MMMM Do YYYY, h:mm:ss a"),"
\t\t
"]).draw()}),$('[data-toggle="tooltip"]').tooltip()):$("#emptyMessage").show()}).error(function(){$("#loading").hide(),errorFlash("Error fetching templates")})}var templates=[],icons={"application/vnd.ms-excel":"fa-file-excel-o","text/plain":"fa-file-text-o","image/gif":"fa-file-image-o","image/png":"fa-file-image-o","application/pdf":"fa-file-pdf-o","application/x-zip-compressed":"fa-file-archive-o","application/x-gzip":"fa-file-archive-o","application/vnd.openxmlformats-officedocument.presentationml.presentation":"fa-file-powerpoint-o","application/vnd.openxmlformats-officedocument.wordprocessingml.document":"fa-file-word-o","application/octet-stream":"fa-file-o","application/x-msdownload":"fa-file-o"};$(document).ready(function(){$(".modal").on("hidden.bs.modal",function(a){$(this).removeClass("fv-modal-stack"),$("body").data("fv_open_modals",$("body").data("fv_open_modals")-1)}),$(".modal").on("shown.bs.modal",function(a){"undefined"==typeof $("body").data("fv_open_modals")&&$("body").data("fv_open_modals",0),$(this).hasClass("fv-modal-stack")||($(this).addClass("fv-modal-stack"),$("body").data("fv_open_modals",$("body").data("fv_open_modals")+1),$(this).css("z-index",1040+10*$("body").data("fv_open_modals")),$(".modal-backdrop").not(".fv-modal-stack").css("z-index",1039+10*$("body").data("fv_open_modals")),$(".modal-backdrop").not("fv-modal-stack").addClass("fv-modal-stack"))}),$.fn.modal.Constructor.prototype.enforceFocus=function(){$(document).off("focusin.bs.modal").on("focusin.bs.modal",$.proxy(function(a){this.$element[0]===a.target||this.$element.has(a.target).length||$(a.target).closest(".cke_dialog, .cke").length||this.$element.trigger("focus")},this))},$(document).on("hidden.bs.modal",".modal",function(){$(".modal:visible").length&&$(document.body).addClass("modal-open")}),$("#modal").on("hidden.bs.modal",function(a){dismiss()}),$("#importEmailModal").on("hidden.bs.modal",function(a){$("#email_content").val("")}),load()}); \ No newline at end of file diff --git a/static/js/dist/app/users.min.js b/static/js/dist/app/users.min.js index 32590a10..1dec2798 100644 --- a/static/js/dist/app/users.min.js +++ b/static/js/dist/app/users.min.js @@ -1 +1 @@ -function save(a){var e=[];$.each($("#targetsTable").DataTable().rows().data(),function(a,s){e.push({first_name:unescapeHtml(s[0]),last_name:unescapeHtml(s[1]),email:unescapeHtml(s[2]),position:unescapeHtml(s[3])})});var s={name:$("#name").val(),targets:e};a!=-1?(s.id=a,api.groupId.put(s).success(function(a){successFlash("Group updated successfully!"),load(),dismiss(),$("#modal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)})):api.groups.post(s).success(function(a){successFlash("Group added successfully!"),load(),dismiss(),$("#modal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)})}function dismiss(){$("#targetsTable").dataTable().DataTable().clear().draw(),$("#name").val(""),$("#modal\\.flashes").empty()}function edit(a){if(targets=$("#targetsTable").dataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]}),$("#modalSubmit").unbind("click").click(function(){save(a)}),a==-1);else api.groupId.get(a).success(function(a){$("#name").val(a.name),$.each(a.targets,function(a,e){targets.DataTable().row.add([escapeHtml(e.first_name),escapeHtml(e.last_name),escapeHtml(e.email),escapeHtml(e.position),'']).draw()})}).error(function(){errorFlash("Error fetching group")});$("#csvupload").fileupload({dataType:"json",add:function(a,e){$("#modal\\.flashes").empty();var s=/(csv|txt)$/i,t=e.originalFiles[0].name;return t&&!s.test(t.split(".").pop())?(modalError("Unsupported file extension (use .csv or .txt)"),!1):void e.submit()},done:function(a,e){$.each(e.result,function(a,e){addTarget(e.first_name,e.last_name,e.email,e.position)}),targets.DataTable().draw()}})}function deleteGroup(a){var e=groups.find(function(e){return e.id===a});return e?void(confirm("Delete "+e.name+"?")&&api.groupId.delete(a).success(function(a){successFlash(a.message),load()})):void console.log("wat")}function addTarget(a,e,s,t){var o=escapeHtml(s).toLowerCase(),r=[escapeHtml(a),escapeHtml(e),o,escapeHtml(t),''],n=targets.DataTable(),i=n.column(2,{order:"index"}).data().indexOf(o);i>=0?n.row(i,{order:"index"}).data(r):n.row.add(r)}function load(){$("#groupTable").hide(),$("#emptyMessage").hide(),$("#loading").show(),api.groups.summary().success(function(a){if($("#loading").hide(),a.total>0){groups=a.groups,$("#emptyMessage").hide(),$("#groupTable").show();var e=$("#groupTable").DataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]});e.clear(),$.each(groups,function(a,s){e.row.add([escapeHtml(s.name),escapeHtml(s.num_targets),moment(s.modified_date).format("MMMM Do YYYY, h:mm:ss a"),"
"]).draw()})}else $("#emptyMessage").show()}).error(function(){errorFlash("Error fetching groups")})}var groups=[];$(document).ready(function(){load(),$("#targetForm").submit(function(){return addTarget($("#firstName").val(),$("#lastName").val(),$("#email").val(),$("#position").val()),targets.DataTable().draw(),$("#targetForm>div>input").val(""),$("#firstName").focus(),!1}),$("#targetsTable").on("click","span>i.fa-trash-o",function(){targets.DataTable().row($(this).parents("tr")).remove().draw()}),$("#modal").on("hide.bs.modal",function(){dismiss()})}); \ No newline at end of file +function save(a){var e=[];$.each($("#targetsTable").DataTable().rows().data(),function(a,s){e.push({first_name:unescapeHtml(s[0]),last_name:unescapeHtml(s[1]),email:unescapeHtml(s[2]),position:unescapeHtml(s[3])})});var s={name:$("#name").val(),targets:e};a!=-1?(s.id=a,api.groupId.put(s).success(function(a){successFlash("Group updated successfully!"),load(),dismiss(),$("#modal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)})):api.groups.post(s).success(function(a){successFlash("Group added successfully!"),load(),dismiss(),$("#modal").modal("hide")}).error(function(a){modalError(a.responseJSON.message)})}function dismiss(){$("#targetsTable").dataTable().DataTable().clear().draw(),$("#name").val(""),$("#modal\\.flashes").empty()}function edit(a){if(targets=$("#targetsTable").dataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]}),$("#modalSubmit").unbind("click").click(function(){save(a)}),a==-1);else api.groupId.get(a).success(function(a){$("#name").val(a.name),$.each(a.targets,function(a,e){targets.DataTable().row.add([escapeHtml(e.first_name),escapeHtml(e.last_name),escapeHtml(e.email),escapeHtml(e.position),'']).draw()})}).error(function(){errorFlash("Error fetching group")});$("#csvupload").fileupload({url:"/api/import/group?api_key="+user.api_key,dataType:"json",add:function(a,e){$("#modal\\.flashes").empty();var s=/(csv|txt)$/i,t=e.originalFiles[0].name;return t&&!s.test(t.split(".").pop())?(modalError("Unsupported file extension (use .csv or .txt)"),!1):void e.submit()},done:function(a,e){$.each(e.result,function(a,e){addTarget(e.first_name,e.last_name,e.email,e.position)}),targets.DataTable().draw()}})}function deleteGroup(a){var e=groups.find(function(e){return e.id===a});return e?void(confirm("Delete "+e.name+"?")&&api.groupId.delete(a).success(function(a){successFlash(a.message),load()})):void console.log("wat")}function addTarget(a,e,s,t){var o=escapeHtml(s).toLowerCase(),r=[escapeHtml(a),escapeHtml(e),o,escapeHtml(t),''],n=targets.DataTable(),i=n.column(2,{order:"index"}).data().indexOf(o);i>=0?n.row(i,{order:"index"}).data(r):n.row.add(r)}function load(){$("#groupTable").hide(),$("#emptyMessage").hide(),$("#loading").show(),api.groups.summary().success(function(a){if($("#loading").hide(),a.total>0){groups=a.groups,$("#emptyMessage").hide(),$("#groupTable").show();var e=$("#groupTable").DataTable({destroy:!0,columnDefs:[{orderable:!1,targets:"no-sort"}]});e.clear(),$.each(groups,function(a,s){e.row.add([escapeHtml(s.name),escapeHtml(s.num_targets),moment(s.modified_date).format("MMMM Do YYYY, h:mm:ss a"),"
"]).draw()})}else $("#emptyMessage").show()}).error(function(){errorFlash("Error fetching groups")})}var groups=[];$(document).ready(function(){load(),$("#targetForm").submit(function(){return addTarget($("#firstName").val(),$("#lastName").val(),$("#email").val(),$("#position").val()),targets.DataTable().draw(),$("#targetForm>div>input").val(""),$("#firstName").focus(),!1}),$("#targetsTable").on("click","span>i.fa-trash-o",function(){targets.DataTable().row($(this).parents("tr")).remove().draw()}),$("#modal").on("hide.bs.modal",function(){dismiss()})}); \ No newline at end of file diff --git a/static/js/src/app/gophish.js b/static/js/src/app/gophish.js index 7c6f0e52..423a9ca7 100644 --- a/static/js/src/app/gophish.js +++ b/static/js/src/app/gophish.js @@ -194,8 +194,8 @@ var api = { } }, // import handles all of the "import" functions in the api - import_email: function (raw) { - return query("/import/email", "POST", {}, false) + import_email: function (req) { + return query("/import/email", "POST", req, false) }, // clone_site handles importing a site by url clone_site: function (req) { diff --git a/static/js/src/app/templates.js b/static/js/src/app/templates.js index 0d68552d..d5c14b83 100644 --- a/static/js/src/app/templates.js +++ b/static/js/src/app/templates.js @@ -240,16 +240,10 @@ function importEmail() { if (!raw) { modalError("No Content Specified!") } else { - $.ajax({ - method: "POST", - url: "/api/import/email", - data: JSON.stringify({ + api.import_email({ content: raw, convert_links: convert_links - }), - dataType: "json", - contentType: "application/json" - }) + }) .success(function (data) { $("#text_editor").val(data.text) $("#html_editor").val(data.html) @@ -337,7 +331,8 @@ $(document).ready(function () { if ( this.$element[0] !== e.target && !this.$element.has(e.target).length // CKEditor compatibility fix start. - && !$(e.target).closest('.cke_dialog, .cke').length + && + !$(e.target).closest('.cke_dialog, .cke').length // CKEditor compatibility fix end. ) { this.$element.trigger('focus'); @@ -356,4 +351,4 @@ $(document).ready(function () { }) load() -}) +}) \ No newline at end of file diff --git a/static/js/src/app/users.js b/static/js/src/app/users.js index a1defa2d..f8deec65 100644 --- a/static/js/src/app/users.js +++ b/static/js/src/app/users.js @@ -3,7 +3,7 @@ var groups = [] // Save attempts to POST or PUT to /groups/ function save(id) { var targets = [] - $.each($("#targetsTable").DataTable().rows().data(), function(i, target) { + $.each($("#targetsTable").DataTable().rows().data(), function (i, target) { targets.push({ first_name: unescapeHtml(target[0]), last_name: unescapeHtml(target[1]), @@ -12,35 +12,35 @@ function save(id) { }) }) var group = { - name: $("#name").val(), - targets: targets - } - // Submit the group + name: $("#name").val(), + targets: targets + } + // Submit the group if (id != -1) { // If we're just editing an existing group, // we need to PUT /groups/:id group.id = id api.groupId.put(group) - .success(function(data) { + .success(function (data) { successFlash("Group updated successfully!") load() dismiss() $("#modal").modal('hide') }) - .error(function(data) { + .error(function (data) { modalError(data.responseJSON.message) }) } else { // Else, if this is a new group, POST it // to /groups api.groups.post(group) - .success(function(data) { + .success(function (data) { successFlash("Group added successfully!") load() dismiss() $("#modal").modal('hide') }) - .error(function(data) { + .error(function (data) { modalError(data.responseJSON.message) }) } @@ -60,16 +60,16 @@ function edit(id) { targets: "no-sort" }] }) - $("#modalSubmit").unbind('click').click(function() { + $("#modalSubmit").unbind('click').click(function () { save(id) }) if (id == -1) { var group = {} } else { api.groupId.get(id) - .success(function(group) { + .success(function (group) { $("#name").val(group.name) - $.each(group.targets, function(i, record) { + $.each(group.targets, function (i, record) { targets.DataTable() .row.add([ escapeHtml(record.first_name), @@ -81,14 +81,15 @@ function edit(id) { }); }) - .error(function() { + .error(function () { errorFlash("Error fetching group") }) } // Handle file uploads $("#csvupload").fileupload({ + url: "/api/import/group?api_key=" + user.api_key, dataType: "json", - add: function(e, data) { + add: function (e, data) { $("#modal\\.flashes").empty() var acceptFileTypes = /(csv|txt)$/i; var filename = data.originalFiles[0]['name'] @@ -98,8 +99,8 @@ function edit(id) { } data.submit(); }, - done: function(e, data) { - $.each(data.result, function(i, record) { + done: function (e, data) { + $.each(data.result, function (i, record) { addTarget( record.first_name, record.last_name, @@ -112,14 +113,16 @@ function edit(id) { } function deleteGroup(id) { - var group = groups.find(function(x){return x.id === id}) + var group = groups.find(function (x) { + return x.id === id + }) if (!group) { console.log('wat'); return } if (confirm("Delete " + group.name + "?")) { api.groupId.delete(id) - .success(function(data) { + .success(function (data) { successFlash(data.message) load() }) @@ -162,7 +165,7 @@ function load() { $("#emptyMessage").hide() $("#loading").show() api.groups.summary() - .success(function(response) { + .success(function (response) { $("#loading").hide() if (response.total > 0) { groups = response.groups @@ -176,7 +179,7 @@ function load() { }] }); groupTable.clear(); - $.each(groups, function(i, group) { + $.each(groups, function (i, group) { groupTable.row.add([ escapeHtml(group.name), escapeHtml(group.num_targets), @@ -193,16 +196,16 @@ function load() { $("#emptyMessage").show() } }) - .error(function() { + .error(function () { errorFlash("Error fetching groups") }) } -$(document).ready(function() { +$(document).ready(function () { load() - // Setup the event listeners - // Handle manual additions - $("#targetForm").submit(function() { + // Setup the event listeners + // Handle manual additions + $("#targetForm").submit(function () { addTarget( $("#firstName").val(), $("#lastName").val(), @@ -216,13 +219,13 @@ $(document).ready(function() { return false; }); // Handle Deletion - $("#targetsTable").on("click", "span>i.fa-trash-o", function() { + $("#targetsTable").on("click", "span>i.fa-trash-o", function () { targets.DataTable() .row($(this).parents('tr')) .remove() .draw(); }); - $("#modal").on("hide.bs.modal", function() { + $("#modal").on("hide.bs.modal", function () { dismiss(); }); -}); +}); \ No newline at end of file diff --git a/templates/users.html b/templates/users.html index a75c8c8e..2edb7ec7 100644 --- a/templates/users.html +++ b/templates/users.html @@ -3,24 +3,35 @@
@@ -34,7 +45,8 @@
- +
 
@@ -62,63 +74,66 @@