b3f0bad5ce
Merge pull request #2195 from gophish/dependabot/npm_and_yarn/lodash-4.17.21
...
Bump lodash from 4.17.19 to 4.17.21
2021-12-18 09:48:41 +01:00
12ecfd84cc
Merge pull request #2182 from gophish/dependabot/npm_and_yarn/ssri-6.0.2
...
Bump ssri from 6.0.1 to 6.0.2
2021-12-18 09:48:33 +01:00
4814620cdc
Merge pull request #2157 from gophish/dependabot/npm_and_yarn/y18n-3.2.2
...
Bump y18n from 3.2.1 to 3.2.2
2021-12-18 09:48:00 +01:00
5fc6ba6bef
Bump lodash from 4.17.19 to 4.17.21
...
Bumps [lodash](https://github.com/lodash/lodash ) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases )
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-05-08 15:03:26 +00:00
a5b3b134ba
Bump ssri from 6.0.1 to 6.0.2
...
Bumps [ssri](https://github.com/npm/ssri ) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/npm/ssri/releases )
- [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md )
- [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2 )
Signed-off-by: dependabot[bot] <support@github.com>
2021-04-29 18:52:25 +00:00
f722065018
Bump y18n from 3.2.1 to 3.2.2
...
Bumps [y18n](https://github.com/yargs/y18n ) from 3.2.1 to 3.2.2.
- [Release notes](https://github.com/yargs/y18n/releases )
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md )
- [Commits](https://github.com/yargs/y18n/commits )
Signed-off-by: dependabot[bot] <support@github.com>
2021-03-30 15:39:51 +00:00
db63ee978d
Bump yargs-parser from 5.0.0 to 5.0.1 ( #2151 )
2021-03-28 15:40:31 -05:00
96d1a55558
Bump elliptic from 6.5.3 to 6.5.4 ( #2140 )
2021-03-28 15:38:41 -05:00
54d9eb28ff
Merge pull request #2105 from gophish/fix-cors-headers
...
Add PUT and DELETE methods for CORS handling.
2021-03-06 17:40:42 +00:00
15303e32cf
Fix code quality issues ( #2118 )
2021-02-24 17:34:38 -06:00
166ff8a050
Add PUT and DELETE methods for CORS handling. Fixes #2098
2021-01-24 14:01:40 -06:00
e6533e9993
Update Dockerfile ( #2095 )
...
Updates the Go version used by the Dockerfile
2021-01-24 13:44:10 -06:00
9f5368aa13
Bump ini from 1.3.5 to 1.3.7 ( #2067 )
...
Bumps [ini](https://github.com/isaacs/ini ) from 1.3.5 to 1.3.7.
- [Release notes](https://github.com/isaacs/ini/releases )
- [Commits](https://github.com/isaacs/ini/compare/v1.3.5...v1.3.7 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-12-11 07:24:28 -06:00
ced5261678
Added functionality to lock accounts (+bug fix) ( #2060 )
...
* Added functionality to lock accounts
* Fixed typo and added test case for locked account
2020-12-07 08:56:05 -06:00
8b8e88b077
Adjusting how we handle IP address parsing to more gracefully handle X-Forwarded-For headers. Ref #1999
2020-10-14 20:35:32 -05:00
120e232cfe
Removing accidental dependencies to revert to 3c490dbadb
2020-10-11 17:49:37 -05:00
23154126de
Made error handling in the case of a client IP without a port more graceful, so that the ratelimiter doesn't return an error if X-Forwarded-For or X-Real-IP is set.
2020-10-11 17:18:33 -05:00
af3122f93b
Adds support for X-Forwarded-For and X-Real-IP headers so that the correct IP address shows up in the logs.
...
Fixes #1999
2020-10-11 13:59:42 -05:00
3c490dbadb
Updated JS from #1976
2020-09-30 22:00:15 -05:00
b53cff0c98
Added functionality to display last user login ( #1967 )
...
Added functionality to display last login time for each user in the User Management page.
2020-09-30 21:06:08 -05:00
c1d3c7cd75
Modified frontend reporting logic to be more flexible with campaigns that include a path in their URL.
...
Fixes #1985
2020-09-23 21:15:19 -05:00
0b2ab68f8d
Modified regex to detect Microsoft ATP URLs ( #1976 )
2020-09-23 20:40:21 -05:00
22c7b9be14
Bumped version to 0.11.0
2020-08-28 13:20:54 -05:00
b01bd6cbc0
Updated github.com/jordan-wright/email dependency
2020-08-24 13:15:16 -05:00
6df62e85fd
Added a simple Content-Security-Policy to mitigate clickjacking attempts.
2020-08-20 10:39:23 -05:00
e3352f481e
Implement SSRF Mitigations ( #1940 )
...
Initial commit of SSRF mitigations.
This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang
To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.
To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.
There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.
Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
27d13a0584
Gofmt'ing so that tests pass
2020-08-15 10:31:49 -05:00
735880c398
Creating minified JS file from chnages in #1909
2020-08-08 15:04:59 -05:00
0558da90fe
Added support to allow invalid IMAP certificates ( #1909 )
...
This commit allows self-signed certificates to be used in upstream IMAP connections.
2020-08-08 15:03:42 -05:00
90fed5a575
Added escaping for error message in sending profile hostname
2020-08-06 22:21:41 -05:00
81aa65ba62
Bump elliptic from 6.4.1 to 6.5.3 ( #1919 )
...
Bumps [elliptic](https://github.com/indutny/elliptic ) from 6.4.1 to 6.5.3.
- [Release notes](https://github.com/indutny/elliptic/releases )
- [Commits](https://github.com/indutny/elliptic/compare/v6.4.1...v6.5.3 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-08-02 21:08:49 -05:00
da18b9db94
Update credentials in Readme. ( #1914 )
...
The credentials were listed as admin/gophish, but this changed in v0.10.1, as per: https://docs.getgophish.com/user-guide/getting-started
2020-07-28 20:35:40 -05:00
b684fb4ebd
Fixing issue where campaigns aren't showing up in the archived tab if they have been marked as completed.
...
Fixes #1892
2020-07-25 14:47:37 -05:00
65f06c138f
Create SECURITY.md
...
Add a very high-level SECURITY.md
2020-07-24 23:14:29 -05:00
19ef924d89
Properly escaping server output when a request is made to ping a malicious webhook URL.
...
Fixes #1901
2020-07-24 23:04:55 -05:00
b25f5ac5e4
Updated PapaParse config to prevent CSV injection.
...
I've updated the PapaParse JS library to the latest version from the master branch which supports the `escapeForumlae` option in order to prevent malicious event entries from being parsed and executed by the Gophish user's spreadsheet software.
When a new PapaParse release is created, I'll update this code to use the updated minified file.
2020-07-24 22:44:24 -05:00
4e9b94b641
Fixed validation when setting IMAP hostname
2020-07-17 22:40:10 -05:00
cf7d058f1d
Fixed config test to match new default logger
2020-07-17 22:23:44 -05:00
1c5ad85de1
Added handling for default logger if one is not specified. Fixes #1899
2020-07-17 22:14:04 -05:00
f2042de3bc
Bump lodash from 4.17.15 to 4.17.19 ( #1898 )
...
Bumps [lodash](https://github.com/lodash/lodash ) from 4.17.15 to 4.17.19.
- [Release notes](https://github.com/lodash/lodash/releases )
- [Commits](https://github.com/lodash/lodash/compare/4.17.15...4.17.19 )
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2020-07-17 22:09:17 -05:00
afa00e2a9c
Add ability to provide initial API key on service standup ( #1883 )
2020-07-01 22:06:31 -05:00
bf76f86ea4
Adds environment variable to set the initial admin password
...
This change adds a `GOPHISH_INITIAL_ADMIN_PASSWORD` environment variable so that system administrators can set the initial admin password rather than having it randomly generated. This is especially useful in automated deployment scenarios, or scenarios using Docker (ref #1876 , #1874 )
2020-06-25 08:31:28 -05:00
bb7de8df3e
Initial Implementation of a Password Policy ( #1867 )
...
This PR adds the initial work to implement a password policy as defined in #1538 .
Specifically, this implements the following
* Rate limiting for the login handler
* Implementing the ability for system admins to require a user to reset their password
* Implementing a password policy that requires passwords to be a minimum of 8 characters
* Removes the default password (gophish) for admin users to instead have the password randomly generated when Gophish first starts up
* Adds a password strength meter when choosing a new password
Fixes #1538
2020-06-19 22:03:51 -05:00
0f6439de5a
gofmt'ing the IMAP changes
2020-06-16 20:13:24 -05:00
61bbb22f7c
Updating the modules used for IMAP and email support
...
$ go get -u github.com/jordan-wright/email
$ go build
$ go mod tidy
2020-06-16 20:10:12 -05:00
6f95da00ba
IMAP update; new library and attachment support ( #1791 )
...
Updates the IMAP processing to use a more mature library. This allows for more robust IMAP support.
Additionally, this adds support for reporting emails as attachments.
2020-06-16 20:02:09 -05:00
8ebdb43469
Documentation and code cleanup for webhooks
2020-06-13 13:44:20 -05:00
ec8b17238e
General code cleanup as part of an effort to integrate staticcheck into our CI pipeline.
2020-05-25 21:46:36 -05:00
0961e22126
Removed unneeded print statement
2020-05-25 20:55:00 -05:00
782f80fa12
Bumped version to 0.10.1
2020-05-24 22:26:48 -05:00
Glenn Wilkinson
dependabot[bot]
Shubhendra Singh Chauhan
Jordan Wright
ssssdl
Andrew
Stuart Small