dependabot[bot]
081b84a5e3
Bump terser from 4.0.0 to 4.8.1
...
Bumps [terser](https://github.com/terser/terser ) from 4.0.0 to 4.8.1.
- [Release notes](https://github.com/terser/terser/releases )
- [Changelog](https://github.com/terser/terser/blob/master/CHANGELOG.md )
- [Commits](https://github.com/terser/terser/commits )
---
updated-dependencies:
- dependency-name: terser
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2022-07-20 07:56:07 +00:00
Glenn Wilkinson
5ef2d75e72
Fixed Account Locked bug, allowing user accounts to be locked
2022-06-11 11:25:56 +01:00
Glenn Wilkinson
6fb77bf3ce
Fixed formatting from Custom Envelope PR #2334
2022-06-05 21:18:32 +01:00
Glenn Wilkinson
d0ff3829e5
Disallow deleting of admin user from the UI ( #2487 )
2022-06-01 17:01:55 +01:00
Glenn Wilkinson
0c255bbe92
Disallow changing of admin username from the UI ( #2487 )
2022-06-01 16:40:04 +01:00
Bálint József Jánvári
b7c69662ce
Embed or attach files based on their file extension ( #1525 )
...
Embed or attach files based on their file extension:
* Set 'Content-Disposition: inline' for images
* Set 'Content-Disposition: attachment' for other files
2022-06-01 17:14:22 +02:00
Jake Walker
704e6d56b3
Fix modal titles saying new when editing existing content ( #2318 )
2022-04-15 16:28:19 +02:00
ptitdoc
bb516ef7ab
986 custom envelope sender remerge ( #2334 )
...
* Adds the ability to specify an envelope sender in templates (#986 )
Authored-by: ChessSpider <ChessSpider@users.noreply.github.com>
Authored-by: Olivier MEDOC <o_medoc@yahoo.fr>
Authored-by: ptitdoc <ptitdoc@free.fr>
2022-03-25 16:24:49 +01:00
dependabot[bot]
e0acb99734
Bump minimist from 1.2.0 to 1.2.5 ( #2401 )
...
Bumps [minimist](https://github.com/substack/minimist ) from 1.2.0 to 1.2.5.
- [Release notes](https://github.com/substack/minimist/releases )
- [Commits](https://github.com/substack/minimist/compare/1.2.0...1.2.5 )
---
updated-dependencies:
- dependency-name: minimist
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-25 13:10:19 +01:00
dependabot[bot]
eb016a437c
Bump copy-props from 2.0.4 to 2.0.5 ( #2399 )
...
Bumps [copy-props](https://github.com/gulpjs/copy-props ) from 2.0.4 to 2.0.5.
- [Release notes](https://github.com/gulpjs/copy-props/releases )
- [Changelog](https://github.com/gulpjs/copy-props/blob/master/CHANGELOG.md )
- [Commits](https://github.com/gulpjs/copy-props/compare/2.0.4...2.0.5 )
---
updated-dependencies:
- dependency-name: copy-props
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-17 15:03:51 +01:00
Kirill
67e304f372
Fix open redirect vulnerability on the login page ( #2262 )
2022-02-16 17:26:51 +01:00
dependabot[bot]
e215132bdf
Bump ajv from 6.10.0 to 6.12.6 ( #2395 )
...
Bumps [ajv](https://github.com/ajv-validator/ajv ) from 6.10.0 to 6.12.6.
- [Release notes](https://github.com/ajv-validator/ajv/releases )
- [Commits](https://github.com/ajv-validator/ajv/compare/v6.10.0...v6.12.6 )
---
updated-dependencies:
- dependency-name: ajv
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-16 16:46:30 +01:00
Glenn Wilkinson
741201b7f0
Added JS for Fix sending profile form ( #2389 )
2022-02-16 15:30:38 +00:00
Mark Steward
1f95efcb7b
Fix sending profile form ( #2389 )
...
Credentials no longer suggested in the Search box in 'Sending Profiles'
2022-02-07 17:12:55 +01:00
Glenn Wilkinson
a6627dfc6b
Added support for templating attachments ( #1936 )
...
The following attachment types support template variables: docx, docm, pptx, xlsx, xlsm, txt, html, ics.
2022-02-02 15:41:27 +01:00
Bilal Retiat
0646f14c99
Updated the Ansible Playbook ( #2138 )
...
* Update Ansible role
* lint Ansible role
* Update Ansible Playbook README
* use python3 packages instead python2
2021-12-23 19:13:43 +01:00
Glenn Wilkinson
ceab0509eb
Merge pull request #2296 from gophish/dependabot/npm_and_yarn/tar-4.4.19
...
Bump tar from 4.4.8 to 4.4.19
2021-12-18 09:49:34 +01:00
Glenn Wilkinson
202ecd3397
Merge pull request #2277 from gophish/dependabot/npm_and_yarn/path-parse-1.0.7
...
Bump path-parse from 1.0.6 to 1.0.7
2021-12-18 09:49:20 +01:00
Glenn Wilkinson
4b106b3fe2
Merge pull request #2211 from gophish/dependabot/npm_and_yarn/browserslist-4.16.6
...
Bump browserslist from 4.6.1 to 4.16.6
2021-12-18 09:49:11 +01:00
Glenn Wilkinson
1d18ea7e01
Merge pull request #2196 from gophish/dependabot/npm_and_yarn/hosted-git-info-2.8.9
...
Bump hosted-git-info from 2.7.1 to 2.8.9
2021-12-18 09:48:50 +01:00
Glenn Wilkinson
b3f0bad5ce
Merge pull request #2195 from gophish/dependabot/npm_and_yarn/lodash-4.17.21
...
Bump lodash from 4.17.19 to 4.17.21
2021-12-18 09:48:41 +01:00
Glenn Wilkinson
12ecfd84cc
Merge pull request #2182 from gophish/dependabot/npm_and_yarn/ssri-6.0.2
...
Bump ssri from 6.0.1 to 6.0.2
2021-12-18 09:48:33 +01:00
Glenn Wilkinson
4814620cdc
Merge pull request #2157 from gophish/dependabot/npm_and_yarn/y18n-3.2.2
...
Bump y18n from 3.2.1 to 3.2.2
2021-12-18 09:48:00 +01:00
dependabot[bot]
003d143641
Bump tar from 4.4.8 to 4.4.19
...
Bumps [tar](https://github.com/npm/node-tar ) from 4.4.8 to 4.4.19.
- [Release notes](https://github.com/npm/node-tar/releases )
- [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md )
- [Commits](https://github.com/npm/node-tar/compare/v4.4.8...v4.4.19 )
---
updated-dependencies:
- dependency-name: tar
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-09-01 04:00:10 +00:00
dependabot[bot]
f89c85f558
Bump path-parse from 1.0.6 to 1.0.7
...
Bumps [path-parse](https://github.com/jbgutierrez/path-parse ) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases )
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7 )
---
updated-dependencies:
- dependency-name: path-parse
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support@github.com>
2021-08-10 23:42:11 +00:00
dependabot[bot]
5aa3a858cb
Bump browserslist from 4.6.1 to 4.16.6
...
Bumps [browserslist](https://github.com/browserslist/browserslist ) from 4.6.1 to 4.16.6.
- [Release notes](https://github.com/browserslist/browserslist/releases )
- [Changelog](https://github.com/browserslist/browserslist/blob/main/CHANGELOG.md )
- [Commits](https://github.com/browserslist/browserslist/compare/4.6.1...4.16.6 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-25 07:33:27 +00:00
dependabot[bot]
82fd6adf68
Bump hosted-git-info from 2.7.1 to 2.8.9
...
Bumps [hosted-git-info](https://github.com/npm/hosted-git-info ) from 2.7.1 to 2.8.9.
- [Release notes](https://github.com/npm/hosted-git-info/releases )
- [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md )
- [Commits](https://github.com/npm/hosted-git-info/compare/v2.7.1...v2.8.9 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-10 07:08:01 +00:00
dependabot[bot]
5fc6ba6bef
Bump lodash from 4.17.19 to 4.17.21
...
Bumps [lodash](https://github.com/lodash/lodash ) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases )
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-08 15:03:26 +00:00
dependabot[bot]
a5b3b134ba
Bump ssri from 6.0.1 to 6.0.2
...
Bumps [ssri](https://github.com/npm/ssri ) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/npm/ssri/releases )
- [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md )
- [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-04-29 18:52:25 +00:00
dependabot[bot]
f722065018
Bump y18n from 3.2.1 to 3.2.2
...
Bumps [y18n](https://github.com/yargs/y18n ) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/yargs/y18n/releases )
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md )
- [Commits](https://github.com/yargs/y18n/commits )
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-30 15:39:51 +00:00
dependabot[bot]
db63ee978d
Bump yargs-parser from 5.0.0 to 5.0.1 ( #2151 )
2021-03-28 15:40:31 -05:00
dependabot[bot]
96d1a55558
Bump elliptic from 6.5.3 to 6.5.4 ( #2140 )
2021-03-28 15:38:41 -05:00
Glenn Wilkinson
54d9eb28ff
Merge pull request #2105 from gophish/fix-cors-headers
...
Add PUT and DELETE methods for CORS handling.
2021-03-06 17:40:42 +00:00
Shubhendra Singh Chauhan
15303e32cf
Fix code quality issues ( #2118 )
2021-02-24 17:34:38 -06:00
Jordan Wright
166ff8a050
Add PUT and DELETE methods for CORS handling. Fixes #2098
2021-01-24 14:01:40 -06:00
ssssdl
e6533e9993
Update Dockerfile ( #2095 )
...
Updates the Go version used by the Dockerfile
2021-01-24 13:44:10 -06:00
dependabot[bot]
9f5368aa13
Bump ini from 1.3.5 to 1.3.7 ( #2067 )
...
Bumps [ini](https://github.com/isaacs/ini ) from 1.3.5 to 1.3.7.
- [Release notes](https://github.com/isaacs/ini/releases )
- [Commits](https://github.com/isaacs/ini/compare/v1.3.5...v1.3.7 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-11 07:24:28 -06:00
Glenn Wilkinson
ced5261678
Added functionality to lock accounts (+bug fix) ( #2060 )
...
* Added functionality to lock accounts
* Fixed typo and added test case for locked account
2020-12-07 08:56:05 -06:00
Jordan Wright
8b8e88b077
Adjusting how we handle IP address parsing to more gracefully handle X-Forwarded-For headers. Ref #1999
2020-10-14 20:35:32 -05:00
Jordan Wright
120e232cfe
Removing accidental dependencies to revert to 3c490dbadb
2020-10-11 17:49:37 -05:00
Jordan Wright
23154126de
Made error handling in the case of a client IP without a port more graceful, so that the ratelimiter doesn't return an error if X-Forwarded-For or X-Real-IP is set.
2020-10-11 17:18:33 -05:00
Jordan Wright
af3122f93b
Adds support for X-Forwarded-For and X-Real-IP headers so that the correct IP address shows up in the logs.
...
Fixes #1999
2020-10-11 13:59:42 -05:00
Jordan Wright
3c490dbadb
Updated JS from #1976
2020-09-30 22:00:15 -05:00
Glenn Wilkinson
b53cff0c98
Added functionality to display last user login ( #1967 )
...
Added functionality to display last login time for each user in the User Management page.
2020-09-30 21:06:08 -05:00
Jordan Wright
c1d3c7cd75
Modified frontend reporting logic to be more flexible with campaigns that include a path in their URL.
...
Fixes #1985
2020-09-23 21:15:19 -05:00
Glenn Wilkinson
0b2ab68f8d
Modified regex to detect Microsoft ATP URLs ( #1976 )
2020-09-23 20:40:21 -05:00
Jordan Wright
22c7b9be14
Bumped version to 0.11.0
2020-08-28 13:20:54 -05:00
Jordan Wright
b01bd6cbc0
Updated github.com/jordan-wright/email dependency
2020-08-24 13:15:16 -05:00
Jordan Wright
6df62e85fd
Added a simple Content-Security-Policy to mitigate clickjacking attempts.
2020-08-20 10:39:23 -05:00
Jordan Wright
e3352f481e
Implement SSRF Mitigations ( #1940 )
...
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00