1
0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2024-11-14 15:13:29 +01:00

minor security updates

This commit is contained in:
paulwer 2024-04-07 13:26:10 +02:00
parent b7378b9b10
commit 832397a98e
4 changed files with 16 additions and 23 deletions

View File

@ -190,18 +190,7 @@ class BrevoController extends BaseController
{
$input = $request->all();
// validation for client mail credentials by recipient
if ($request->has('company_key')) {
if (!($request->has('token')))
return response()->json(['message' => 'Unauthorized'], 403);
MultiDB::findAndSetDbByCompanyKey($request->has('company_key'));
$company = Company::where('company_key', $request->has('company_key'))->first();
$company_brevo_secret = $company?->settings?->email_sending_method === 'client_brevo' && $company?->settings?->brevo_secret ? $company->settings->brevo_secret : null;
if (!$company || !$company_brevo_secret || $request->get('token') !== $company_brevo_secret)
return response()->json(['message' => 'Unauthorized'], 403);
} else if (!($request->has('token') && $request->get('token') == config('services.brevo.secret')))
if (!($request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token')))
return response()->json(['message' => 'Unauthorized'], 403);
if (!array_key_exists('items', $input)) {

View File

@ -126,12 +126,13 @@ class MailgunController extends BaseController
// @turbo124 TODO: how to check for services.mailgun.webhook_signing_key on company level, when custom credentials are defined
// TODO: validation for client mail credentials by recipient
if (\hash_equals(\hash_hmac('sha256', $input['timestamp'] . $input['token'], config('services.mailgun.webhook_signing_key')), $input['signature'])) {
$authorizedByHash = \hash_equals(\hash_hmac('sha256', $input['timestamp'] . $input['token'], config('services.mailgun.webhook_signing_key')), $input['signature']);
$authorizedByToken = $request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token');
if (!$authorizedByHash && !$authorizedByToken)
return response()->json(['message' => 'Unauthorized'], 403);
ProcessMailgunInboundWebhook::dispatch($input["sender"] . "|" . $input["recipient"] . "|" . $input["message-url"])->delay(10);
return response()->json(['message' => 'Success'], 201);
}
return response()->json(['message' => 'Unauthorized'], 403);
return response()->json(['message' => 'Success.'], 200);
}
}

View File

@ -275,17 +275,19 @@ class PostMarkController extends BaseController
$input = $request->all();
if (!($request->has('token') && $request->get('token') == config('ninja.inbound_mailbox.inbound_webhook_token')))
return response()->json(['message' => 'Unauthorized'], 403);
if (!(array_key_exists("MessageStream", $input) && $input["MessageStream"] == "inbound") || !array_key_exists("To", $input) || !array_key_exists("From", $input) || !array_key_exists("MessageID", $input)) {
Log::info('Failed: Message could not be parsed, because required parameters are missing.');
return response()->json(['message' => 'Failed. Missing/Invalid Parameters.'], 400);
}
// // TODO: security
// if (!($request->header('X-API-SECURITY') && $request->header('X-API-SECURITY') == config('services.postmark.token')))
// return response()->json(['message' => 'Unauthorized'], 403);
$inboundEngine = new InboundMailEngine();
if ((new InboundMailEngine())->isInvalidOrBlocked($input["From"], $input["To"])) {
if ($inboundEngine->isInvalidOrBlocked($input["From"], $input["To"])) {
Log::info('Failed: Sender is blocked: ' . $input["From"] . " Recipient: " . $input["To"]);
$inboundEngine->saveMeta($input["From"], $input["To"]);
return response()->json(['message' => 'Blocked.'], 403);
}
@ -309,12 +311,12 @@ class PostMarkController extends BaseController
}
} catch (\Exception $e) {
(new InboundMailEngine())->saveMeta($input["From"], $input["To"]); // important to save this, to protect from spam
$inboundEngine->saveMeta($input["From"], $input["To"]); // important to save this, to protect from spam
throw $e;
}
// perform
(new InboundMailEngine())->handle($inboundMail);
$inboundEngine->handle($inboundMail);
return response()->json(['message' => 'Success'], 200);
}

View File

@ -239,6 +239,7 @@ return [
'inbound_mailbox' => [
'expense_mailbox_template' => env('EXPENSE_MAILBOX_TEMPLATE', null),
'expense_mailbox_endings' => env('EXPENSE_MAILBOX_ENDINGS', '@expense.invoicing.co'),
'inbound_webhook_key' => env('INBOUND_WEBHOOK_KEY', null)
],
'cloudflare' => [
'turnstile' => [