Commit Graph

18 Commits (8b8e88b0773956eeeb2202871ec2c2076e36f920)

Author SHA1 Message Date
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Jordan Wright 947bb4ccba Adjusting SMTP TLS config to use just the hostname instead of the hostname+port when validating certificates. Fixes #1709 2020-01-21 07:21:56 -06:00
Chris Zietlow 8d95ceb31a Update Sending Profile Message-ID headers (#1417) (#1441)
Adds a default message-ID header to outbound emails.
2019-04-23 17:31:30 -05:00
Jordan Wright 47f0049c30
Refactor servers (#1321)
* Refactoring servers to support custom workers and graceful shutdown.
* Refactoring workers to support custom mailers.
* Refactoring mailer to be an interface, with proper instances instead of a single global instance
* Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition.
* Cleaning up API middleware to be simpler
* Moving template parameters to separate struct
* Changed LoadConfig to return config object
* Cleaned up some error handling, removing uninitialized global error in models package
* Changed static file serving to use the unindexed package
2018-12-15 15:42:32 -06:00
Jordan Wright 81da804761 Properly returning 404 error if the requested sending profile isn't found. 2018-10-07 12:37:15 -05:00
Jordan Wright 5d23263898
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-03 19:07:41 -05:00
Jordan Wright 76ece15b71
Email refactoring (#878)
The initial pass at refactoring the way we send emails.
2017-12-09 15:42:07 -06:00
Jordan Wright 66c4be3d4f Adding support for custom headers in sending profiles (#544)
Closes #215 
Closes #128
2017-02-19 18:43:08 -06:00
Jordan Wright 1933eb7ff1 Adding better error handling for SMTP server
JSBeautify sending_profiles.js
2016-05-30 14:53:32 -05:00
Jordan Wright d1de466cc9 Validating on PUT
Added check for parsing the FromAddress on Validate()
2016-02-21 22:12:47 -06:00
Jordan Wright 7bf2c00356 gofmt'ing 2016-02-21 21:09:14 -06:00
William Woodson 5b89fb04eb Fixing issues in SMTP model and db schema. Add interface_type to support future sending interfaces beyond SMTP. 2016-02-21 09:46:25 -06:00
William Woodson dde2312183 Updated smtp model and api to support managing SMTP objects as independent entities 2016-02-20 21:08:52 -06:00
Jordan Wright bbe97f5602 Working on ignoring certs 2016-02-11 12:53:00 -06:00
Jordan Wright bf86356fde Validating SMTP Conf. Fixes #111 2016-02-01 18:36:59 -06:00
unknown 669d96d279 More work implementing pages.
More cleanup - changing *all* API errors to be returned via JSON
Fixed bug where /api/pages/ was not csrf exempt
Changed db column/table names to be more user friendly in the case of acronyms (Id, SMTP, etc.)
2015-02-07 14:31:41 -06:00
Jordan a1b6218473 Refined models
Added *basic* worker functionality - emails get sent now! woo hoo!
2014-06-04 23:54:46 -05:00
Jordan db24496fb0 Adding logic to handle getting the template for a campaign
Added SMTP Model
Added better flash support in controllers.js
Added SMTP Options accordion in campaign modal
2014-06-03 13:27:20 -05:00