From 8bb359abbdd5cdaa2d50f708424d67a1dd9b7c1e Mon Sep 17 00:00:00 2001
From: djbadders <34887832+djbadders@users.noreply.github.com>
Date: Wed, 17 Feb 2021 17:41:30 +0000
Subject: [PATCH 1/2] Fixes to security
---
Monitor/Pages/_get/DownloadFile.cshtml.cs | 13 ++--
Monitor/_Internal/BasePageModelSecure.cs | 68 ++++++++++++++++----
Monitor/_Internal/BasePageModelSecureAJAX.cs | 49 ++------------
3 files changed, 66 insertions(+), 64 deletions(-)
diff --git a/Monitor/Pages/_get/DownloadFile.cshtml.cs b/Monitor/Pages/_get/DownloadFile.cshtml.cs
index 63498ca..2d7cfed 100644
--- a/Monitor/Pages/_get/DownloadFile.cshtml.cs
+++ b/Monitor/Pages/_get/DownloadFile.cshtml.cs
@@ -1,11 +1,6 @@
-using System;
-using System.Collections;
-using System.Collections.Generic;
-using System.Linq;
+using System.Collections;
using Core.Main;
using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
namespace Monitor.Pages {
public class DownloadFileModel : _Internal.BasePageModelSecure {
@@ -14,7 +9,11 @@ namespace Monitor.Pages {
// Initialize Config
base.Init();
- InitializeDownload();
+ // Check we have a log in
+ if (base.IsLoggedIn(this.HttpContext))
+ {
+ InitializeDownload();
+ }
}
private void InitializeDownload() {
diff --git a/Monitor/_Internal/BasePageModelSecure.cs b/Monitor/_Internal/BasePageModelSecure.cs
index 12ff0ee..080b8ef 100644
--- a/Monitor/_Internal/BasePageModelSecure.cs
+++ b/Monitor/_Internal/BasePageModelSecure.cs
@@ -7,32 +7,72 @@ namespace Monitor._Internal
{
public class BasePageModelSecure : BasePageModel
{
+ // The string to redirect to if it fails security
+ protected string _redirectUrl;
+
+ public BasePageModelSecure(string redirect = null)
+ {
+ // Configure redirect URL
+ _redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
+ }
+
+ ///
+ /// Must be called from inheritting pages to check security
+ ///
public void Init()
{
+ // Initialise base class
base.PreInit();
- if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+ // Security check
+ if (!IsLoggedIn(this.HttpContext))
{
- bool redirectToLogin = true;
- if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
+ HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
+ }
+ }
+
+ ///
+ /// Check to see a user if logged in interactively
+ ///
+ /// Boolean - User logged in or not
+ protected Boolean IsLoggedIn(HttpContext context)
+ {
+ bool isLoggedIn = false;
+
+ if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
+ {
+ // Do we have a session active?
+ if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
{
- string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
- if (!rememberMeKey.Equals(""))
+ isLoggedIn = true;
+ }
+ else
+ {
+ // Do we have a auto login cookie?
+ if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
{
- string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
- if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
+ string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
+ if (!rememberMeKey.Equals(""))
{
- HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
- redirectToLogin = false;
+ string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
+ if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
+ {
+ context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
+ isLoggedIn = true;
+ }
}
}
}
-
- if (redirectToLogin)
- {
- HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
- }
}
+ else
+ {
+ // No password required
+ isLoggedIn = true;
+ }
+
+ return isLoggedIn;
}
+
}
+
}
diff --git a/Monitor/_Internal/BasePageModelSecureAJAX.cs b/Monitor/_Internal/BasePageModelSecureAJAX.cs
index c1c7c6a..c69cc4d 100644
--- a/Monitor/_Internal/BasePageModelSecureAJAX.cs
+++ b/Monitor/_Internal/BasePageModelSecureAJAX.cs
@@ -1,49 +1,12 @@
-using System;
-using System.IO;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Mvc.RazorPages;
-using Microsoft.Extensions.Configuration;
-using Microsoft.Extensions.DependencyInjection;
-using Newtonsoft.Json;
-using Core.Main;
-using Core.Helper;
-using Core.Main.DataObjects.PTMagicData;
-using Core.MarketAnalyzer;
-using Core.ProfitTrailer;
-using Microsoft.Extensions.Primitives;
-
-namespace Monitor._Internal
+namespace Monitor._Internal
{
- public class BasePageModelSecureAJAX : BasePageModel
+ public class BasePageModelSecureAJAX : BasePageModelSecure
{
- public void Init()
- {
- base.PreInit();
-
- if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
- {
- bool redirectToLogin = true;
- if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
- {
- string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
- if (!rememberMeKey.Equals(""))
- {
- string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
- if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
- {
- HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
- redirectToLogin = false;
- }
- }
- }
-
- if (redirectToLogin)
- {
- HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
- }
- }
+ public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
+ // Logic in base class
}
+
}
+
}
From 03b2acdf43194413c719e5180c680bbd5e305011 Mon Sep 17 00:00:00 2001
From: djbadders <34887832+djbadders@users.noreply.github.com>
Date: Wed, 17 Feb 2021 18:32:07 +0000
Subject: [PATCH 2/2] Security fix to avoid using the assets folder when
creating zips
---
Monitor/Pages/_get/DownloadFile.cshtml.cs | 26 +++++++++++++++++------
Monitor/Startup.cs | 10 ++++++++-
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/Monitor/Pages/_get/DownloadFile.cshtml.cs b/Monitor/Pages/_get/DownloadFile.cshtml.cs
index 2d7cfed..900fa5a 100644
--- a/Monitor/Pages/_get/DownloadFile.cshtml.cs
+++ b/Monitor/Pages/_get/DownloadFile.cshtml.cs
@@ -1,5 +1,7 @@
-using System.Collections;
-using Core.Main;
+using System;
+using System.Collections;
+using System.IO;
+using Microsoft.Net.Http.Headers;
using Core.Helper;
namespace Monitor.Pages {
@@ -16,19 +18,29 @@ namespace Monitor.Pages {
}
}
- private void InitializeDownload() {
+ private async void InitializeDownload() {
+ // Zip the file in an non web accessible folder
string fileName = GetStringParameter("f", "");
+ string tempFolder = PTMagicMonitorBasePath + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
+
if (System.IO.File.Exists(PTMagicBasePath + fileName)) {
- if (!System.IO.Directory.Exists(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar)) {
- System.IO.Directory.CreateDirectory(PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar);
+ if (!System.IO.Directory.Exists(tempFolder)) {
+ System.IO.Directory.CreateDirectory(tempFolder);
}
string sourcefilePath = PTMagicBasePath + fileName;
- string destinationFilePath = PTMagicMonitorBasePath + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar + fileName + ".zip";
+ string destinationFilePath = tempFolder + fileName + ".zip";
ZIPHelper.CreateZipFile(new ArrayList() { sourcefilePath }, destinationFilePath);
- Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "assets/tmp/" + fileName + ".zip");
+ // Write out the file
+ var data = System.IO.File.ReadAllBytes(destinationFilePath);
+
+ Response.ContentType = "application/zip";
+ Response.Headers[HeaderNames.CacheControl] = "no-cache";
+ Response.Headers[HeaderNames.ContentDisposition] = String.Format("attachment; filename={0}", fileName);
+ await Response.BodyWriter.WriteAsync(new Memory(data));
+ Response.BodyWriter.Complete();
}
}
}
diff --git a/Monitor/Startup.cs b/Monitor/Startup.cs
index b50797d..fa46e14 100644
--- a/Monitor/Startup.cs
+++ b/Monitor/Startup.cs
@@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Core.Main;
+using Core.Helper;
using System.Runtime.InteropServices;
using System.Diagnostics;
@@ -58,6 +59,13 @@ namespace Monitor
{
options.AllowSynchronousIO = true;
});
+
+ // Remove the old tmp folder if it exists
+ string oldTmpFolder = monitorBasePath + System.IO.Path.DirectorySeparatorChar + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
+ if (System.IO.Directory.Exists(oldTmpFolder))
+ {
+ System.IO.Directory.Delete(oldTmpFolder, true);
+ }
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@@ -77,7 +85,7 @@ namespace Monitor
// Configure request pipeline
app.UseStaticFiles();
app.UseSession();
- app.UseMvcWithDefaultRoute();
+ app.UseMvcWithDefaultRoute();
// Open the browser
if (systemConfiguration.GeneralSettings.Monitor.OpenBrowserOnStart) OpenBrowser("http://localhost:" + systemConfiguration.GeneralSettings.Monitor.Port.ToString());