Commit Graph

30 Commits (eb016a437cf60ad3f2f154bb496cbb09c6074d64)

Author SHA1 Message Date
Jordan Wright e3352f481e
Implement SSRF Mitigations (#1940)
Initial commit of SSRF mitigations.

This fixes #1908 by creating a *net.Dialer which restricts outbound connections to only allowed IP ranges. This implementation is based on the blog post at https://www.agwa.name/blog/post/preventing_server_side_request_forgery_in_golang

To keep things backwards compatible, by default we'll only block connections to 169.254.169.254, the link-local IP address commonly used in cloud environments to retrieve metadata about the running instance. For other internal addresses (e.g. localhost or RFC 1918 addresses), it's assumed that those are available to Gophish.

To support more secure environments, we introduce the `allowed_internal_hosts` configuration option where an admin can set one or more IP ranges in CIDR format. If addresses are specified here, then all internal connections will be blocked except to these hosts.

There are various bits about this approach I don't really like. For example, since various packages all need this functionality, I had to make the RestrictedDialer a global singleton rather than a dependency off of, say, the admin server. Additionally, since webhooks are implemented via a singleton, I had to introduce a new function, `SetTransport`.

Finally, I had to make an update in the gomail package to support a custom net.Dialer.
2020-08-20 09:36:18 -05:00
Jordan Wright cf7d058f1d Fixed config test to match new default logger 2020-07-17 22:23:44 -05:00
Jordan Wright 1c5ad85de1 Added handling for default logger if one is not specified. Fixes #1899 2020-07-17 22:14:04 -05:00
Jordan Wright ec8b17238e General code cleanup as part of an effort to integrate staticcheck into our CI pipeline. 2020-05-25 21:46:36 -05:00
Jordan Wright a0e8c4a369 Added optional csrf_key to config to better support H/A configurations. Fixes #1816. Fixes #1820. 2020-04-23 23:16:44 -05:00
Jordan Wright be459e47bf
Refactoring tests to remove stretchr/testify dependency 2020-02-01 21:44:50 -06:00
Jordan Wright caede2e40b
Refactoring Logging (#1722)
* Added ParseLevel to set log level (#1671)
* Moved logger config into the logger package for better decoupling. Added logging tests.

Co-authored-by: Amal Alkhamees <Amalkh5@users.noreply.github.com>
2020-01-16 22:21:58 -06:00
Christian Schwartz 26d99b5a65 Add support for encrypted connections to mysql (#1460) 2019-06-03 22:04:54 -05:00
Jordan Wright 47f0049c30
Refactor servers (#1321)
* Refactoring servers to support custom workers and graceful shutdown.
* Refactoring workers to support custom mailers.
* Refactoring mailer to be an interface, with proper instances instead of a single global instance
* Cleaning up a few things. Locking maillogs for campaigns set to launch immediately to prevent a race condition.
* Cleaning up API middleware to be simpler
* Moving template parameters to separate struct
* Changed LoadConfig to return config object
* Cleaned up some error handling, removing uninitialized global error in models package
* Changed static file serving to use the unindexed package
2018-12-15 15:42:32 -06:00
Jordan Wright 10aa98b760 Moving logging configuration into its own section of the config 2018-10-06 17:51:49 -05:00
Jordan Wright bef52d36f1 Adding ability to log to file as well as stderr. Fixes #441. Fixes #1209. 2018-10-06 15:47:31 -05:00
Jordan Wright 9f334281ab Added X-Mailer and X-Gophish-Contact headers (Ref: #1057) 2018-06-18 21:37:59 -05:00
Jordan Wright 64c5e54c64 Added a contact_address entry in config.json to support transparency efforts (ref #1057).
Also added a warning in the case where a contact address isn't provided, and fixed the JSON formatting of the configuration.
2018-06-09 18:17:22 -05:00
Jordan Wright 5d23263898
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-03 19:07:41 -05:00
Jordan Wright 76ece15b71
Email refactoring (#878)
The initial pass at refactoring the way we send emails.
2017-12-09 15:42:07 -06:00
Jordan Wright ca1e52148b Adding VERSION file and bumping version to 0.4-dev. Fixes #742 2017-09-05 21:54:32 -05:00
Jordan Wright 772fe28c06 Added config.json CLI flag: --config 2017-06-09 00:14:03 -05:00
Jordan Wright 2514bccb05 Bumped the version to 0.3 in preparation for the new binaries to be released. 2017-03-01 20:12:32 -06:00
Jordan Wright f12af50d46 Adding support for Mysql (#442)
Thanks, @svigne1!

Fixes #53
2016-11-19 10:37:22 -06:00
Jordan Wright 670347e057 Bumping version number to 0.3-dev 2016-11-18 22:17:26 -06:00
Jordan Wright 3a37849324 Removed unneeded SMTP config in favor of the Sending Profiles. Fixes #434 2016-11-18 19:05:47 -06:00
Jordan Wright 33df3c3868 Added the version to the settings page. 2016-08-06 18:58:34 -05:00
Jordan Wright 32aaa15da7 Added documentation for multiple endpoints. Fixes #54 2016-01-24 20:47:16 -06:00
Jordan Wright 379edf73a3 Adding first round of database migrations using goose 2016-01-18 21:13:32 -06:00
William Woodson 44852546e0 Added UseTLS config option for both Admin and Phish servers 2016-01-17 10:45:13 -06:00
Jordan c9d00059b0 Updated dashboard diagrams 2014-07-05 22:57:17 -05:00
Jordan 0f603e6501 Added http handler for phishing endpoint - Will add content soon
Updated config.go to reflect the new changes
2014-06-29 16:44:16 -05:00
Jordan cb9c405f46 Added better testing with gocheck
Fixed some typos leading to syntax errors
TODO: Finish up gorm integration into templates
2014-03-26 21:42:07 -05:00
Jordan 584d7dbc23 Major refactoring - modularized models into separate files. Removed db package (moved to models)
I will be looking to migrate to gorm (instead of gorp) soon!
2014-03-24 22:31:33 -05:00
Jordan 7f084760f9 Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture.
Added doc.go for each package
2014-01-09 00:42:05 -06:00