Documentation and don't-know-where-it-belongs issues
siwecos / siwecos-business-layer Goto Github PK
View Code? Open in Web Editor NEWSIWECOS Main API and Business Layer Application
Home Page: https://siwecos.de
SIWECOS Main API and Business Layer Application
Home Page: https://siwecos.de
I just changed my accounts mail address to another address and it was stored without the need to re-confirm the new mail address.
Please take a look at BLA DB
select agb, active, count(active)
from users
group by agb, active
agb | active | count(active) |
---|---|---|
false | false | 7 |
false | true | 21 |
No one accepted our AGB?
Recurring scans laufen derzeit offenbar nicht
Webserver für jeden Scanner
Siehe Slack
Business Layer muß dem Core einen callback mitgeben, den Core nach Abschluß eines Scans aufruft.
In der Callback Routine muß Business Layer, sofern es sich nicht um einen freescan gehandelt hat, das Siegel erzeugen und an geeigneter Stelle (wie im Meeting besprochen Google Storage Cloud?) ablegen.
Please check http(S)://www.tom123.de
It reaches just 99% because of one hidden scan result. Hidden tests shouldn't have any negative impact we were told.
{
"scoreType" : "hidden",
"name" : "PROTOCOLVERSION_TLS13",
"score" : 0,
"errorMessage" : null,
"hasError" : false,
"testDetails" : null
},
Activation mail says
Diese Email wurde automatisch vom SIWECOS System zur Überprüfung Ihrer Domain generiert.
But it's not the DOMAIN, it's the mail address.
Instead of fixing, please tell us how to fix ourselfs.
Please do not send out notifications for low score more often than once a week.
Plase check whether or not a low score is due to a timeout and do not send to the user.
Idea: Inform the (yet to define) admin mail address. This should be configurable as long as we do not have proper monitoring for timeouts, I think this feature would be helpful.
Rough sketch:
env has to contain
ADMIN=(list-of-)admin-mail-address(es)
ADMIN_NOTIFY=list-of-events
where the "list-of-events" will be a comma separated list of possible events (like TIMEOUT).
Just a small mail to env('ADMIN') if env('ADMIN_NOTIFY') matches /\bTIMEOUT\b/.
Subject would be "%EVENT% for %DOMAIN% found at %TIME%".
For the mail body I'm not sure. Maybe url, scan_id, and scan_results.id?
PLEASE NOTICE:
This feature could be used for the mail notifications as well. If "ADMIN_NOTIFY" matches /\bLOWSCORE\b/, mails about low score should go to the admin mail address(es) instead of to the user.
According to https://github.com/SIWECOS/InfoLeak-Scanner/blob/master/doc/InfoLeak_Placeholders.txt it seems {something} is the expected notation for testdetails.
Unfortunately they are not replaced.
So I receive
Verwendete CMS {cms} detektiert.
instead of the expected
Verwendete CMS Wordpress detektiert.
Ist sinnfrei, Token sollte reichen, gehört zu SIWECOS/webapp#12
Muss hier raus:
https://github.com/SIWECOS/siwecos-business-layer/blob/master/app/Http/Controllers/SiwecosUserController.php#L309
I noticed that there is an issue in freescan's logic.
The freescan only allows us to see Scan results with danger level 0, so that people do not get all for free.
When a domain is registered and has a seal on their website, their visitors will be able to click the seal and view the score - nothing more
But what if the visitor starts a freescan for that domain?
He will suddenly see ALL scanresults, because no new scan is started, but the existing results are shown. Even those of DL10.
I think this is an issue and the freescan results of existing scans have to be filtered.
At the moment this seems impossible as we do not know the dangerlevel of scanner tests in the scan results.
We think it might be a good idea to have additional accounts for a domain. Maybe with restricted access (just view, not starting scans or registring/deleting domains).
Reasoning: When a user wants his service provider to fix the issues found by siwecos, it would be good the service provider could actually see what siwecos reports. As we do not have PDF (yet), it might be a good option to allow the service provider to log in and check without having to give them the user's credentals.
If this is too much overhead another idea could be to allow domain owners to give other registered users read access.
That way a service provider can register one account and will be able to see each domain he was granted access for.
Advantage would be: A Service Provider just needs to have one account and can manage multiple customers. Idea is similar to "public key autentication" in ssh: The domain owner simply ads one (or more) account names into a list of allowed viewers per domain.
CRON einrichten auf den Scheduler (5min)
There is no option to reset/recover a lost password.
Folgendes Anpassen:
Weiterer Parameter:
https://github.com/SIWECOS/siwecos-business-layer/blob/develop/app/Http/Controllers/SiwecosScanController.php#L193
Sprache Aktualisieren:
https://github.com/SIWECOS/siwecos-business-layer/blob/develop/app/Http/Controllers/SiwecosScanController.php#L203-L205
Unsortierte Schlagworte:
Seems there are no user notifications in case new issues were found, yet.
A registered user should receive a mail in case there were (new) issues found on one of his domains.
Try to scan https://sdfsdfsdfghdfkgksdfgf and SIWECOS will happily try to do so without telling the user that the domain does not exist.
/app/Http/Controllers/SiwecosScanController.php Line 239
if ($item['has_error']) {
$errorRaw = $item['complete_request']['errorMessage'];
$error = array();
$error['report'] = html_entity_decode(__('siwecos.' . $errorRaw['placeholder']));
$error['has_error'] = true;
$error['score'] = 0;
if (array_key_exists('values', $errorRaw)) { // <- HERE
When error is set but the message is missing this gives an exception.
While a scanner should not provide hasError:true but no message, BLA should still be able to cope with this.
Moin, sollten der report endpoint nicht besser in die routes/api.php hinter die usertoken middleware? Dann können wir das Token aus der eigentlich URL rausnehmen. Oder hab ich da den Usecase falsche verstanden?
There seems to be no way to ask for a resend of the activation mail. (Could be an SPA issue as well)
Background: I tested the password reset functionality with an account I (accidently) did not activate.
I could reset the password, but I could not log in as I didn't activate the account.
As I also "lost" my activation mail, there is no way for me to reactivate the account.
Proposals:
According to the changes with SIWECOS/HSHS-DOMXSS-Scanner#40 the test names changed as follows:
HAS_SOURCES
to SOURCES
HAS_SINKS
to SINKS
There are two new placeholders:
Placeholder | Message |
---|---|
GENERAL | |
NO_CONTENT | The site was empty and there was nothing to scan for. |
NO_SCRIPT_TAGS | The scanner found no script tags to rate. |
Please include them in the language files so that SIWECOS/HSHS-DOMXSS-Scanner#40 can go to staging/production.
See also #2.
it would be best that a free scan:
There should be Scan results mails (initial, under 50%, etc)
See also #20
HTML Datei als Link anzeigen @webapp
Momentan wird lediglich geprüft, ob ein Nutzer registriert ist:
siwecos-business-layer/app/Http/Requests/GenerateReportRequest.php
Lines 15 to 24 in d82fe2a
Es besteht die Möglichkeit, dass ein Nutzer einen Report von einem anderen Nutzer, einer anderen Domain, anfragen kann ohne dafür authorisiert zu sein.
Daher notwendig:
Abfrage, ob der Scan auch zu einer Domain gehört, die zu dem jeweiligen Nutzer gehört.
Problem: Keine Testbarkeit, siehe: #83
Caused by my work at SIWECOS/HSHS-DOMXSS-Scanner#24 two new placeholders are included in the readme:
Placeholder | Message |
---|---|
GENERAL | |
HEADER_ENCODING_ERROR | The header is not correctly encoded. |
HEADER_NAME | (Only set with the HEADER_ENCODING_ERROR ) [The header name.] |
Please include them in the language files.
How can we troubleshoot the reason for
"Fehler beim Starten des Scans, bitte versuchen Sie es später erneut"
which appears from time to time when trying to start a new scan.
When clicking the button to start a new scan, the network analyzer in FF shows a 403 forbidden
Date: Mon, 12 Mar 2018 08:10:54 GMT
Server: Apache
Cache-Control: no-cache, private
Access-Control-Allow-Origin: https://staging2.siwecos.de
Vary: Origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Keep-Alive: timeout=15, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en
I clicked on
https://bla.staging2.siwecos.de/api/v1/users/activate/4t4DsmAjcwZpmZrKOyz71tY9Gt4MmtelYPA97gI738Zxk3dcjv39qvZ2hUorE00FU68JSC5zm6V5L48r2wBfHAz94k5FzMg1
and was presented with JSON code. Nothing else.
Tested with Thunderbird and Safari on macOS.
We already had 2 occurences of customers having issues with the user agent string we use.
Problem is: They might not be aware that their website is blocking certain strings.
Solution could be that a user is allowed to define the user agent string he wants.
While this might not help the users at once, it could improve the situation as
a) Our support could tell them what they need to change in SIWECOS so that scanning is accepted by their website
b) The poweruser could define an agent string he easily can recognize in his logs in order to filter them out
Derzeit gibt es offenbar keine ausgehenden Mails?
Please add the domain to the subject of PDF Notifications.
I already tried but misssing a service to retrieve the domain when I just have the scan_id
Additionally name the attachment according to the domain. So not "scanreport.pdf" but something like "siwecosreport %PROTOCOL% %DOMAIN% %ISODATE%.pdf" (e.g. "siwecosreport https byte5.de 2018-05-30.pdf")
Currently it's not possible to generate a PDF report.
This should be part of the SPA, as the SPA already has all the necessary parts implemented for creating nice looking reports. After all the current "Sicherheitsbericht" already is a report, let alone not an easily printed one and not yet complete with all the tips and details a user might require to fix his domain's issues.
OTOH, according to @SniperSister "PDFs in JS aren’t that much fun, I would prefer if we have that implemented in the BLA".
After discussion with Peter: Every account will receive up to 50 free credits per day.
So when an account has 10 validated domains, he will be down to 40 after the automatic scans. But there should be an automatism to update the credits to 50 once per day.
Question remains what to do once we allow users to pay for credits.
My proposal is:
The second adjustment is required so that the automatic, daily scans are not reducing the payed amount of credits.
It's unclear to me where this automatism has to be implements. Currently it's said that we have an automatic scan done every night at 01:00 (but I cannot see that in the database) and maybe it's a good idea to implement the logic at the same place.
The tests are missing placeholder values.
Additionally we are missing a means to provide them
I already tried to insert into siwecos.php (as a test):
'CT_META_TAG_SET_CORRECT' => 'alles roger',
to no avail. Still CT_META_TAG_SET_CORRECT appears in the output.
Vermutlich verwandt mit SIWECOS/siwecos-core-api#162 und Ursache von SIWECOS/webapp#9
Try this:
That call is used for the seal. Unfortunately you'll get the result from the freescan as the domainscan first checks https and only http if https was not found.
This could lead to support calls when we are live. So domainscan should only return results for registered, validated domains.
According to https://en.wikipedia.org/wiki/Gettext#Implementations it should be possible to use gettext file (.mo) in php.
As I already implemented a script for converting our current translations directory into a .pot file, which we will use for translations, it might be a good thing to make use of them as well in BLA. Please check whether or not this is feasable.
Please note that due to the fact that some "msgid"s (i.e. untranslated texts) are identical for different contexts, I used the placeholder as a (msgctxt) message context. This might be an issue.
It also might be an issue, that the …_SOLUTION_TIPS placeholders should be able to contain wikitext links.
If it's not feasable we will have to create a script to convert .po files into siwecos.php files.
Bitte ein README, das zum Projekt passt.
Migration für die Userdatenbank
Check der Flags im Reportprocessing
We are especially interested in placeholders for the user's name, salutation and email address.
But every other placeholder which can be used would be good to know as well.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.