Commit Graph

198 Commits (4d7910fec8c47110b30caf9694b22d73d1074cc4)

Author SHA1 Message Date
Milan Bharanya 4d7910fec8
Merge 642d5fd7a4 into 9561846979 2024-11-21 01:14:13 +00:00
Jordan Wright 9561846979
Update workflow actions and Go versions (#3245)
This PR:

* Updates the versions of various actions used by the CI and release workflows
* Updates the release workflow to use Go version 1.22
* Updates the test matrix to use Go versions 1.21, 1.22, and 1.23

It also updates the CI workflow to run when pull requests are created or changed. This will help give feedback when formatting or tests are broken during a PR.

As a good example of why this is useful, you'll see that I needed to run `gofmt` to get this to pass! We should have caught that earlier and now we'll catch it moving forward.
2024-09-22 23:24:43 -05:00
Glenn Wilkinson d2efb18ef1
Updated regex pattern to allow longer TLDs 2022-12-16 17:04:55 +00:00
tcastron 2d08befb6b
Modified "SMTP From" field to avoid SMTP server errors with RFC 5321 (#2669)
Co-authored-by: Thomas Castronovo <thocastronovo@cic.be>
2022-11-29 16:41:10 +00:00
MBharanya 642d5fd7a4 Add configurable list of filetypes that allow substitutions in attachments 2022-10-19 13:45:16 +02:00
Vivek Kekuda cec2da5128
Fix new records being added on completing a campaign (#2599)
There were new records with name '[Deleted]' being added when a campaign was
completed. This used to happen when the resource associated with a campaign
(template, page, profile) was deleted before marking the campaign as
completed. The save gorm call used to upsert these values and ended up adding
rogue records.
2022-10-13 16:16:37 +01:00
Glenn Wilkinson 6fb77bf3ce Fixed formatting from Custom Envelope PR #2334 2022-06-05 21:18:32 +01:00
Bálint József Jánvári b7c69662ce
Embed or attach files based on their file extension (#1525)
Embed or attach files based on their file extension:
 * Set 'Content-Disposition: inline' for images
 * Set 'Content-Disposition: attachment' for other files
2022-06-01 17:14:22 +02:00
ptitdoc bb516ef7ab
986 custom envelope sender remerge (#2334)
* Adds the ability to specify an envelope sender in templates (#986)

Authored-by: ChessSpider <ChessSpider@users.noreply.github.com>
Authored-by: Olivier MEDOC <o_medoc@yahoo.fr>
Authored-by: ptitdoc <ptitdoc@free.fr>
2022-03-25 16:24:49 +01:00
Glenn Wilkinson a6627dfc6b
Added support for templating attachments (#1936)
The following attachment types support template variables: docx, docm, pptx, xlsx, xlsm, txt, html, ics.
2022-02-02 15:41:27 +01:00
Shubhendra Singh Chauhan 15303e32cf
Fix code quality issues (#2118) 2021-02-24 17:34:38 -06:00
Glenn Wilkinson ced5261678
Added functionality to lock accounts (+bug fix) (#2060)
* Added functionality to lock accounts

* Fixed typo and added test case for locked account
2020-12-07 08:56:05 -06:00
Glenn Wilkinson b53cff0c98
Added functionality to display last user login (#1967)
Added functionality to display last login time for each user in the User Management page.
2020-09-30 21:06:08 -05:00
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Glenn Wilkinson 0558da90fe
Added support to allow invalid IMAP certificates (#1909)
This commit allows self-signed certificates to be used in upstream IMAP connections.
2020-08-08 15:03:42 -05:00
Stuart Small afa00e2a9c
Add ability to provide initial API key on service standup (#1883) 2020-07-01 22:06:31 -05:00
Jordan Wright bf76f86ea4 Adds environment variable to set the initial admin password
This change adds a `GOPHISH_INITIAL_ADMIN_PASSWORD` environment variable so that system administrators can set the initial admin password rather than having it randomly generated. This is especially useful in automated deployment scenarios, or scenarios using Docker (ref #1876, #1874)
2020-06-25 08:31:28 -05:00
Jordan Wright bb7de8df3e
Initial Implementation of a Password Policy (#1867)
This PR adds the initial work to implement a password policy as defined in #1538.

Specifically, this implements the following

* Rate limiting for the login handler
* Implementing the ability for system admins to require a user to reset their password
* Implementing a password policy that requires passwords to be a minimum of 8 characters
* Removes the default password (gophish) for admin users to instead have the password randomly generated when Gophish first starts up
* Adds a password strength meter when choosing a new password

Fixes #1538
2020-06-19 22:03:51 -05:00
Jordan Wright ec8b17238e General code cleanup as part of an effort to integrate staticcheck into our CI pipeline. 2020-05-25 21:46:36 -05:00
Jordan Wright 0961e22126 Removed unneeded print statement 2020-05-25 20:55:00 -05:00
Jordan Wright 6251ea6a02
Fixing issues - get values from non objects (#1773)
After calls to get Template, Page, and SMTP, if the objects aren't found then we're currently trying to display error message using the name values of the non objects. This changes this behavior such that we use the name values from the campaign object to give better log messages.
2020-03-05 07:31:19 -06:00
Jordan Wright 8162a80cb1
Improve the Performance of Sending Emails (#1753)
Adding the ability to cache campaigns on maillogs to greatly improve generation time (and, by extension, sending speed and memory usage).
2020-02-29 20:19:54 -06:00
Jordan Wright be459e47bf
Refactoring tests to remove stretchr/testify dependency 2020-02-01 21:44:50 -06:00
Jordan Wright 3d525525ea Added campaign ID to the webhook JSON payload 2020-01-30 07:09:04 -06:00
Jordan Wright 0620671de6 Adding benchmarks for maillog.Generate. Ref #1726 2020-01-25 22:09:43 -06:00
Jordan Wright 947bb4ccba Adjusting SMTP TLS config to use just the hostname instead of the hostname+port when validating certificates. Fixes #1709 2020-01-21 07:21:56 -06:00
Glenn Wilkinson 9de32746ee Added IMAP support for checking reported emails (#1612)
Initial support of managing reporting through IMAP.

Co-Authored-By: Jordan Wright <jmwright798@gmail.com>
2020-01-18 11:58:34 -06:00
Jordan Wright 546da4ee7d Removing unneeded query to improve group performance.
As mentioned in #1702, the query in `insertTargetIntoGroup` isn't needed, since both instances where it's used we already know that the target isn't in the group. This means it's safe to remove that query, improving performance dramatically.

Before:

```
BenchmarkPostGroup100-4     	      81	  12629754 ns/op	 2989993 B/op	   52918 allocs/op
BenchmarkPostGroup1000-4    	       6	 189527792 ns/op	29891818 B/op	  528082 allocs/op
BenchmarkPostGroup10000-4   	       1	6203645806 ns/op	299253648 B/op	 5282859 allocs/op
BenchmarkPutGroup100-4      	     100	  10221833 ns/op	 2589165 B/op	   46078 allocs/op
BenchmarkPutGroup1000-4     	       7	 162692432 ns/op	25812440 B/op	  458425 allocs/op
BenchmarkPutGroup10000-4    	       1	7596445084 ns/op	260385808 B/op	 4581569 allocs/op
```

After:

```
BenchmarkPostGroup100-4     	     133	   8848973 ns/op	 2354605 B/op	   42322 allocs/op
BenchmarkPostGroup1000-4    	       9	 112557410 ns/op	23549206 B/op	  422184 allocs/op
BenchmarkPostGroup10000-4   	       1	3414209403 ns/op	235635952 B/op	 4222090 allocs/op
BenchmarkPutGroup100-4      	     147	   8094333 ns/op	 2271297 B/op	   40777 allocs/op
BenchmarkPutGroup1000-4     	       9	 125092124 ns/op	22635067 B/op	  405421 allocs/op
BenchmarkPutGroup10000-4    	       1	5712591900 ns/op	228592920 B/op	 4051316 allocs/op
```
2020-01-16 20:41:13 -06:00
JoseW3b 91d798336f Get send_by_date (#1720)
Get send_by_date field when query on GetCampaignSummary and GetCampaignSummaries
2020-01-15 22:02:19 -06:00
Jordan Wright 01287e0dd5 Minor cleanup on webhook feature integration
- Ran gofmt
- Rebuilt minified static files
- Updated validation payload
2019-12-15 22:07:55 -06:00
Alex Maslakov 28cd7a238e Add Webhook Support
Adds support for managing outgoing webhooks. Closes #1602
2019-12-15 20:27:21 -06:00
Jordan Wright 44f88401bb
Performance Improvements for Campaign and Group Creation (#1686)
This commit significantly improves the performance of campaign and group creation by changing database access to use transactions.

It should also make things more consistent with campaign creation. Specifically, this will ensure that the entire campaign gets created before emails start sending, while I anticipate this will fix #1643, #1080, (possibly) #1677, and #1552.
2019-12-02 23:00:11 -06:00
Michael Eder 1aab1a34ba 1624 - Return API Key on Password Change (#1663)
Updates the user model to return the user’s API key for easier administration.
2019-11-16 12:18:03 -06:00
SamSutt c5dc71662a Bugfix Issue 1570 (#1640)
Relating to the Issue (https://github.com/gophish/gophish/issues/1570), this could be an easy fix.
2019-10-29 08:21:54 -05:00
Christian Schwartz 26d99b5a65 Add support for encrypted connections to mysql (#1460) 2019-06-03 22:04:54 -05:00
Jordan Wright 84096b8724
Implement User Management API (#1473)
This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information.
2019-05-31 13:58:18 -05:00
Chris Zietlow 8d95ceb31a Update Sending Profile Message-ID headers (#1417) (#1441)
Adds a default message-ID header to outbound emails.
2019-04-23 17:31:30 -05:00
gfrancqu af4c8f61da Wait for db (#1402)
Added a loop that attempts to connect to the configured database.
2019-03-27 22:48:31 -05:00
Jordan Wright ba8ceb81da
Initial commit of RBAC support. (#1366)
* Initial commit of RBAC support. Closes #1333
2019-02-19 20:33:50 -06:00
Jordan Wright 53b3a98521 Deleting maillogs when a campaign is completed to prevent accidental future emails from being sent. Fixes #719 2018-12-15 22:09:15 -06:00
Jordan Wright c14be36e05 Delete maillogs if a campaign is deleted. Fixes #1318 2018-12-15 21:47:40 -06:00
Jordan Wright a73ac4ab7c Fixed various minor linting issues 2018-12-15 21:38:51 -06:00
Jordan Wright 47f0049c30
Refactor servers (#1321)
* Refactoring servers to support custom workers and graceful shutdown.
* Refactoring workers to support custom mailers.
* Refactoring mailer to be an interface, with proper instances instead of a single global instance
* Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition.
* Cleaning up API middleware to be simpler
* Moving template parameters to separate struct
* Changed LoadConfig to return config object
* Cleaned up some error handling, removing uninitialized global error in models package
* Changed static file serving to use the unindexed package
2018-12-15 15:42:32 -06:00
Jordan Wright 7fd0657a91
Support Re-enabling CapturePasswords for Landing Pages (#1271)
Fixed a bug when marking the capture password, saving and unmarking the capture password, the attribute does not comeback and the password will never be captured again for this template.
2018-11-11 12:34:26 -06:00
Jordan Wright 326649b177 Updating redirect URL to support template values. Fixes #1235 2018-10-15 16:42:05 -05:00
Jordan Wright d6cbc1a936 Minor cleanup for campaign results 2018-10-08 10:49:21 -05:00
Jordan Wright 81da804761 Properly returning 404 error if the requested sending profile isn't found. 2018-10-07 12:37:15 -05:00
Jordan Wright f39014bbfc Moved template validation into separate function, and added validation for pages 2018-09-09 11:33:51 -05:00
Jordan Wright 0c5925aeec Fixed template validation to better support the all the possible template tags. Fixes #1189 2018-09-08 18:04:21 -05:00
Jordan Wright 15e57b6cd0 Add {{.BaseURL}} template tag to provide the root URL for static files. Fixes #1182 2018-09-03 20:28:32 -05:00