Commit Graph

9 Commits (96d1a5555861f5c80e27e957f2da14594c36cbe6)

Author SHA1 Message Date
Shubhendra Singh Chauhan 15303e32cf
Fix code quality issues (#2118) 2021-02-24 17:34:38 -06:00
Glenn Wilkinson 0b2ab68f8d
Modified regex to detect Microsoft ATP URLs (#1976) 2020-09-23 20:40:21 -05:00
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Jordan Wright 27d13a0584 Gofmt'ing so that tests pass 2020-08-15 10:31:49 -05:00
Glenn Wilkinson 0558da90fe
Added support to allow invalid IMAP certificates (#1909)
This commit allows self-signed certificates to be used in upstream IMAP connections.
2020-08-08 15:03:42 -05:00
Jordan Wright 0f6439de5a gofmt'ing the IMAP changes 2020-06-16 20:13:24 -05:00
Glenn Wilkinson 6f95da00ba
IMAP update; new library and attachment support (#1791)
Updates the IMAP processing to use a more mature library. This allows for more robust IMAP support.

Additionally, this adds support for reporting emails as attachments.
2020-06-16 20:02:09 -05:00
Jordan Wright ec8b17238e General code cleanup as part of an effort to integrate staticcheck into our CI pipeline. 2020-05-25 21:46:36 -05:00
Glenn Wilkinson 9de32746ee Added IMAP support for checking reported emails (#1612)
Initial support of managing reporting through IMAP.

Co-Authored-By: Jordan Wright <jmwright798@gmail.com>
2020-01-18 11:58:34 -06:00