From 3a7a62e9d6aaa2ce42c65e52df93758ef427c9ea Mon Sep 17 00:00:00 2001 From: Jordan Wright Date: Thu, 29 Mar 2018 20:59:26 -0500 Subject: [PATCH] Changed /api/reset to require API key instead of just requiring a valid session. Fixes #1028 --- controllers/route.go | 2 +- static/js/dist/app/gophish.min.js | 2 +- static/js/dist/app/settings.min.js | 2 +- static/js/src/app/gophish.js | 3 +++ static/js/src/app/settings.js | 12 ++++++------ 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/controllers/route.go b/controllers/route.go index b3f59d4c..3fdca4f4 100644 --- a/controllers/route.go +++ b/controllers/route.go @@ -41,7 +41,7 @@ func CreateAdminRouter() http.Handler { api := router.PathPrefix("/api").Subrouter() api = api.StrictSlash(true) api.HandleFunc("/", Use(API, mid.RequireLogin)) - api.HandleFunc("/reset", Use(API_Reset, mid.RequireLogin)) + api.HandleFunc("/reset", Use(API_Reset, mid.RequireAPIKey)) api.HandleFunc("/campaigns/", Use(API_Campaigns, mid.RequireAPIKey)) api.HandleFunc("/campaigns/summary", Use(API_Campaigns_Summary, mid.RequireAPIKey)) api.HandleFunc("/campaigns/{id:[0-9]+}", Use(API_Campaigns_Id, mid.RequireAPIKey)) diff --git a/static/js/dist/app/gophish.min.js b/static/js/dist/app/gophish.min.js index b1346d6c..be8ce70d 100644 --- a/static/js/dist/app/gophish.min.js +++ b/static/js/dist/app/gophish.min.js @@ -1 +1 @@ -function errorFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function successFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function modalError(e){$("#modal\\.flashes").empty().append('
'+e+"
")}function query(e,t,n,r){return $.ajax({url:"/api"+e+"?api_key="+user.api_key,async:r,method:t,data:JSON.stringify(n),dataType:"json",contentType:"application/json"})}function escapeHtml(e){return $("
").text(e).html()}function unescapeHtml(e){return $("
").html(e).text()}var capitalize=function(e){return e.charAt(0).toUpperCase()+e.slice(1)},api={campaigns:{get:function(){return query("/campaigns/","GET",{},!1)},post:function(e){return query("/campaigns/","POST",e,!1)},summary:function(){return query("/campaigns/summary","GET",{},!1)}},campaignId:{get:function(e){return query("/campaigns/"+e,"GET",{},!0)},delete:function(e){return query("/campaigns/"+e,"DELETE",{},!1)},results:function(e){return query("/campaigns/"+e+"/results","GET",{},!0)},complete:function(e){return query("/campaigns/"+e+"/complete","GET",{},!0)},summary:function(e){return query("/campaigns/"+e+"/summary","GET",{},!0)}},groups:{get:function(){return query("/groups/","GET",{},!1)},post:function(e){return query("/groups/","POST",e,!1)},summary:function(){return query("/groups/summary","GET",{},!0)}},groupId:{get:function(e){return query("/groups/"+e,"GET",{},!1)},put:function(e){return query("/groups/"+e.id,"PUT",e,!1)},delete:function(e){return query("/groups/"+e,"DELETE",{},!1)}},templates:{get:function(){return query("/templates/","GET",{},!1)},post:function(e){return query("/templates/","POST",e,!1)}},templateId:{get:function(e){return query("/templates/"+e,"GET",{},!1)},put:function(e){return query("/templates/"+e.id,"PUT",e,!1)},delete:function(e){return query("/templates/"+e,"DELETE",{},!1)}},pages:{get:function(){return query("/pages/","GET",{},!1)},post:function(e){return query("/pages/","POST",e,!1)}},pageId:{get:function(e){return query("/pages/"+e,"GET",{},!1)},put:function(e){return query("/pages/"+e.id,"PUT",e,!1)},delete:function(e){return query("/pages/"+e,"DELETE",{},!1)}},SMTP:{get:function(){return query("/smtp/","GET",{},!1)},post:function(e){return query("/smtp/","POST",e,!1)}},SMTPId:{get:function(e){return query("/smtp/"+e,"GET",{},!1)},put:function(e){return query("/smtp/"+e.id,"PUT",e,!1)},delete:function(e){return query("/smtp/"+e,"DELETE",{},!1)}},import_email:function(e){return query("/import/email","POST",e,!1)},clone_site:function(e){return query("/import/site","POST",e,!1)},send_test_email:function(e){return query("/util/send_test_email","POST",e,!0)}};$(document).ready(function(){$.fn.dataTable.moment("MMMM Do YYYY, h:mm:ss a"),$('[data-toggle="tooltip"]').tooltip()}); \ No newline at end of file +function errorFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function successFlash(e){$("#flashes").empty(),$("#flashes").append('
'+e+"
")}function modalError(e){$("#modal\\.flashes").empty().append('
'+e+"
")}function query(e,t,n,r){return $.ajax({url:"/api"+e+"?api_key="+user.api_key,async:r,method:t,data:JSON.stringify(n),dataType:"json",contentType:"application/json"})}function escapeHtml(e){return $("
").text(e).html()}function unescapeHtml(e){return $("
").html(e).text()}var capitalize=function(e){return e.charAt(0).toUpperCase()+e.slice(1)},api={campaigns:{get:function(){return query("/campaigns/","GET",{},!1)},post:function(e){return query("/campaigns/","POST",e,!1)},summary:function(){return query("/campaigns/summary","GET",{},!1)}},campaignId:{get:function(e){return query("/campaigns/"+e,"GET",{},!0)},delete:function(e){return query("/campaigns/"+e,"DELETE",{},!1)},results:function(e){return query("/campaigns/"+e+"/results","GET",{},!0)},complete:function(e){return query("/campaigns/"+e+"/complete","GET",{},!0)},summary:function(e){return query("/campaigns/"+e+"/summary","GET",{},!0)}},groups:{get:function(){return query("/groups/","GET",{},!1)},post:function(e){return query("/groups/","POST",e,!1)},summary:function(){return query("/groups/summary","GET",{},!0)}},groupId:{get:function(e){return query("/groups/"+e,"GET",{},!1)},put:function(e){return query("/groups/"+e.id,"PUT",e,!1)},delete:function(e){return query("/groups/"+e,"DELETE",{},!1)}},templates:{get:function(){return query("/templates/","GET",{},!1)},post:function(e){return query("/templates/","POST",e,!1)}},templateId:{get:function(e){return query("/templates/"+e,"GET",{},!1)},put:function(e){return query("/templates/"+e.id,"PUT",e,!1)},delete:function(e){return query("/templates/"+e,"DELETE",{},!1)}},pages:{get:function(){return query("/pages/","GET",{},!1)},post:function(e){return query("/pages/","POST",e,!1)}},pageId:{get:function(e){return query("/pages/"+e,"GET",{},!1)},put:function(e){return query("/pages/"+e.id,"PUT",e,!1)},delete:function(e){return query("/pages/"+e,"DELETE",{},!1)}},SMTP:{get:function(){return query("/smtp/","GET",{},!1)},post:function(e){return query("/smtp/","POST",e,!1)}},SMTPId:{get:function(e){return query("/smtp/"+e,"GET",{},!1)},put:function(e){return query("/smtp/"+e.id,"PUT",e,!1)},delete:function(e){return query("/smtp/"+e,"DELETE",{},!1)}},import_email:function(e){return query("/import/email","POST",e,!1)},clone_site:function(e){return query("/import/site","POST",e,!1)},send_test_email:function(e){return query("/util/send_test_email","POST",e,!0)},reset:function(){return query("/reset","POST",{},!0)}};$(document).ready(function(){$.fn.dataTable.moment("MMMM Do YYYY, h:mm:ss a"),$('[data-toggle="tooltip"]').tooltip()}); \ No newline at end of file diff --git a/static/js/dist/app/settings.min.js b/static/js/dist/app/settings.min.js index 9609765f..d3935884 100644 --- a/static/js/dist/app/settings.min.js +++ b/static/js/dist/app/settings.min.js @@ -1 +1 @@ -$(document).ready(function(){$("#apiResetForm").submit(function(e){return $.post("/api/reset",$(this).serialize()).done(function(e){api_key=e.data,successFlash(e.message),$("#api_key").val(api_key)}).fail(function(e){errorFlash(e.message)}),!1}),$("#settingsForm").submit(function(e){return $.post("/settings",$(this).serialize()).done(function(e){successFlash(e.message)}).fail(function(e){errorFlash(e.responseJSON.message)}),!1});var e=localStorage.getItem("gophish.use_map");$("#use_map").prop("checked",JSON.parse(e)),$("#use_map").on("change",function(){localStorage.setItem("gophish.use_map",JSON.stringify(this.checked))})}); \ No newline at end of file +$(document).ready(function(){$("#apiResetForm").submit(function(e){return api.reset().success(function(e){user.api_key=e.data,successFlash(e.message),$("#api_key").val(user.api_key)}).error(function(e){errorFlash(e.message)}),!1}),$("#settingsForm").submit(function(e){return $.post("/settings",$(this).serialize()).done(function(e){successFlash(e.message)}).fail(function(e){errorFlash(e.responseJSON.message)}),!1});var e=localStorage.getItem("gophish.use_map");$("#use_map").prop("checked",JSON.parse(e)),$("#use_map").on("change",function(){localStorage.setItem("gophish.use_map",JSON.stringify(this.checked))})}); \ No newline at end of file diff --git a/static/js/src/app/gophish.js b/static/js/src/app/gophish.js index 423a9ca7..212cfdba 100644 --- a/static/js/src/app/gophish.js +++ b/static/js/src/app/gophish.js @@ -204,6 +204,9 @@ var api = { // send_test_email sends an email to the specified email address send_test_email: function (req) { return query("/util/send_test_email", "POST", req, true) + }, + reset: function () { + return query("/reset", "POST", {}, true) } } diff --git a/static/js/src/app/settings.js b/static/js/src/app/settings.js index 52c9678f..5f4998e8 100644 --- a/static/js/src/app/settings.js +++ b/static/js/src/app/settings.js @@ -1,12 +1,12 @@ $(document).ready(function () { $("#apiResetForm").submit(function (e) { - $.post("/api/reset", $(this).serialize()) - .done(function (data) { - api_key = data.data - successFlash(data.message) - $("#api_key").val(api_key) + api.reset() + .success(function (response) { + user.api_key = response.data + successFlash(response.message) + $("#api_key").val(user.api_key) }) - .fail(function (data) { + .error(function (data) { errorFlash(data.message) }) return false