trading
/
PTMagic
mirror of https://github.com/PTMagicians/PTMagic.git
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #267 from djbadders/develop 

Fixes security issues around configuration download
This commit is contained in:
HojouFotytu 2021-02-18 12:40:21 +09:00 committed by GitHub
parent b5232a9bca dfa4b382c3
commit 0a15c7c8c9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 121 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Monitor/Pages/_get/DownloadFile.cshtml Normal file
View File

@ -0,0 +1,5 @@
@page
@model DownloadFileModel
@{
Layout = null;
}

47
Monitor/Pages/_get/DownloadFile.cshtml.cs Normal file
View File

@ -0,0 +1,47 @@
using System;
using System.Collections;
using System.IO;
using Microsoft.Net.Http.Headers;
using Core.Helper;
namespace Monitor.Pages {
public class DownloadFileModel : _Internal.BasePageModelSecure {
public void OnGet() {
// Initialize Config
base.Init();
// Check we have a log in
if (base.IsLoggedIn(this.HttpContext))
{
InitializeDownload();
}
}
private async void InitializeDownload() {
// Zip the file in an non web accessible folder
string fileName = GetStringParameter("f", "");
string tempFolder = PTMagicMonitorBasePath + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
if (System.IO.File.Exists(PTMagicBasePath + fileName)) {
if (!System.IO.Directory.Exists(tempFolder)) {
System.IO.Directory.CreateDirectory(tempFolder);
}
string sourcefilePath = PTMagicBasePath + fileName;
string destinationFilePath = tempFolder + fileName + ".zip";
ZIPHelper.CreateZipFile(new ArrayList() { sourcefilePath }, destinationFilePath);
// Write out the file
var data = System.IO.File.ReadAllBytes(destinationFilePath);
Response.ContentType = "application/zip";
Response.Headers[HeaderNames.CacheControl] = "no-cache";
Response.Headers[HeaderNames.ContentDisposition] = String.Format("attachment; filename={0}", fileName);
await Response.BodyWriter.WriteAsync(new Memory<byte>(data));
Response.BodyWriter.Complete();
}
}
}
}

10
Monitor/Startup.cs
View File

@ -7,6 +7,7 @@ using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.AspNetCore.Server.Kestrel.Core;
using Core.Main;
using Core.Helper;
using System.Runtime.InteropServices;
using System.Diagnostics;
@ -58,6 +59,13 @@ namespace Monitor
{
options.AllowSynchronousIO = true;
});
// Remove the old tmp folder if it exists
string oldTmpFolder = monitorBasePath + System.IO.Path.DirectorySeparatorChar + "wwwroot" + System.IO.Path.DirectorySeparatorChar + "assets" + System.IO.Path.DirectorySeparatorChar + "tmp" + System.IO.Path.DirectorySeparatorChar;
if (System.IO.Directory.Exists(oldTmpFolder))
{
System.IO.Directory.Delete(oldTmpFolder, true);
}
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
@ -77,7 +85,7 @@ namespace Monitor
// Configure request pipeline
app.UseStaticFiles();
app.UseSession();
app.UseMvcWithDefaultRoute();
app.UseMvcWithDefaultRoute();
// Open the browser
if (systemConfiguration.GeneralSettings.Monitor.OpenBrowserOnStart) OpenBrowser("http://localhost:" + systemConfiguration.GeneralSettings.Monitor.Port.ToString());

68
Monitor/_Internal/BasePageModelSecure.cs
View File

@ -7,32 +7,72 @@ namespace Monitor._Internal
{
public class BasePageModelSecure : BasePageModel
{
// The string to redirect to if it fails security
protected string _redirectUrl;
public BasePageModelSecure(string redirect = null)
{
// Configure redirect URL
_redirectUrl = !String.IsNullOrEmpty(redirect) ? redirect : "Login";
}
/// <summary>
/// Must be called from inheritting pages to check security
/// </summary>
public void Init()
{
// Initialise base class
base.PreInit();
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
// Security check
if (!IsLoggedIn(this.HttpContext))
{
bool redirectToLogin = true;
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + _redirectUrl);
}
}
/// <summary>
/// Check to see a user if logged in interactively
/// </summary>
/// <returns>Boolean - User logged in or not</returns>
protected Boolean IsLoggedIn(HttpContext context)
{
bool isLoggedIn = false;
if (PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
{
// Do we have a session active?
if (!String.IsNullOrEmpty(context.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())))
{
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
if (!rememberMeKey.Equals(""))
isLoggedIn = true;
}
else
{
// Do we have a auto login cookie?
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
{
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
if (!rememberMeKey.Equals(""))
{
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
redirectToLogin = false;
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
{
context.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
isLoggedIn = true;
}
}
}
}
if (redirectToLogin)
{
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "Login");
}
}
else
{
// No password required
isLoggedIn = true;
}
return isLoggedIn;
}
}
}

49
Monitor/_Internal/BasePageModelSecureAJAX.cs
View File

@ -1,49 +1,12 @@
using System;
using System.IO;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Newtonsoft.Json;
using Core.Main;
using Core.Helper;
using Core.Main.DataObjects.PTMagicData;
using Core.MarketAnalyzer;
using Core.ProfitTrailer;
using Microsoft.Extensions.Primitives;
namespace Monitor._Internal
namespace Monitor._Internal
{
public class BasePageModelSecureAJAX : BasePageModel
public class BasePageModelSecureAJAX : BasePageModelSecure
{
public void Init()
{
base.PreInit();
if (String.IsNullOrEmpty(HttpContext.Session.GetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString())) && PTMagicConfiguration.GeneralSettings.Monitor.IsPasswordProtected)
{
bool redirectToLogin = true;
if (Request.Cookies.ContainsKey("PTMRememberMeKey"))
{
string rememberMeKey = Request.Cookies["PTMRememberMeKey"];
if (!rememberMeKey.Equals(""))
{
string encryptedPassword = EncryptionHelper.Decrypt(Request.Cookies["PTMRememberMeKey"]);
if (encryptedPassword.Equals(PTMagicConfiguration.SecureSettings.MonitorPassword))
{
HttpContext.Session.SetString("LoggedIn" + PTMagicConfiguration.GeneralSettings.Monitor.Port.ToString(), DateTime.UtcNow.ToString("yyyy'-'MM'-'dd'T'HH':'mm':'ss'.'fff'Z'"));
redirectToLogin = false;
}
}
}
if (redirectToLogin)
{
HttpContext.Response.Redirect(PTMagicConfiguration.GeneralSettings.Monitor.RootUrl + "_get/ReturnToLogin");
}
}
public BasePageModelSecureAJAX() : base(@"_get/ReturnToLogin") {
// Logic in base class
}
}
}