Fix authorization and input validation of HTTP headers

pablosnt · Jan 4, 2025 · 422cd9a · 422cd9a
1 parent b1de195
commit 422cd9a
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 6 deletions.
diff --git a/src/backend/security/authorization/roles.py b/src/backend/security/authorization/roles.py
@@ -239,7 +239,7 @@ class Role(models.TextChoices):
         "delete": [Role.ADMIN, Role.AUDITOR, Role.READER],
     },
     "httpheader": {
-        "view": [Role.ADMIN, Role.AUDITOR],
+        "view": [Role.ADMIN, Role.AUDITOR, Role.READER],
         "add": [Role.ADMIN, Role.AUDITOR],
         "change": [Role.ADMIN, Role.AUDITOR],
         "delete": [Role.ADMIN, Role.AUDITOR],

diff --git a/src/backend/security/validators/input_validator.py b/src/backend/security/validators/input_validator.py
@@ -21,7 +21,7 @@ class Regex(Enum):
     PATH_WITH_QUERYPARAMS = r"[\w\.\-_/\\#?&%$]{0,500}"
     CVE = r"CVE-\d{4}-\d{1,7}"
     SECRET = r"[\w\s\./\-=\+,:<>¿?¡!#&$()@%\[\]\{\}\*]{1,500}"
-    INJECTION = r"[;\"&</>$]+"
+    INJECTION = r"[;\"'&<>$]+"
 
 
 class Validator(RegexValidator):

diff --git a/src/frontend/components/http-header/form.vue b/src/frontend/components/http-header/form.vue
@@ -14,6 +14,7 @@
               (k) => !!k || 'Header key is required',
               (k) => validate.name.test(k.trim()) || 'Header key is invalid',
             ]"
+            :readonly="autz.isAuditor()"
             @update:model-value="disabled = false"
           />
         </v-col>
@@ -28,11 +29,13 @@
               (v) => !!v || 'Header value is required',
               (v) => validate.text.test(v.trim()) || 'Header value is invalid',
             ]"
+            :readonly="autz.isAuditor()"
             @update:model-value="disabled = false"
           >
             <template #prepend>:</template>
             <template v-if="header !== null" #append>
               <BaseButton
+                v-if="autz.isAuditor()"
                 :disabled="disabled"
                 icon="mdi-tray-arrow-down"
                 icon-color="green"
@@ -41,7 +44,7 @@
                 @click="submit"
               />
               <UtilsDeleteButton
-                v-if="header !== null"
+                v-if="autz.isAuditor() && header !== null"
                 :id="header.id"
                 :api="api"
                 :text="`HTTP header '${header.key}' will be removed`"
@@ -69,7 +72,7 @@ const props = defineProps({
 });
 const emit = defineEmits(["completed", "loading"]);
 const validate = useValidation();
-
+const autz = useAutz();
 const valid = ref(true);
 const disabled = ref(props.header !== null);
 const key = ref(props.header ? props.header.key : null);

diff --git a/src/frontend/components/http-header/index.vue b/src/frontend/components/http-header/index.vue
@@ -6,7 +6,7 @@
     :add="HttpHeaderDialog"
     icon="mdi-web"
     empty-head="No HTTP Headers"
-    empty-text="Create the HTTP headers that must be sent by HTTP hacking tools"
+    empty-text="Define the HTTP headers to be sent by HTTP hacking tools"
     auditor
   >
     <template #prepend-search>

diff --git a/src/frontend/pages/projects/[project_id]/targets/[target_id]/http-headers.vue b/src/frontend/pages/projects/[project_id]/targets/[target_id]/http-headers.vue
@@ -5,7 +5,7 @@
     </TargetTabs>
   </MenuProject>
 </template>
-<!-- TODO: review the width of this kind of pages, which is different compared with other pages on the same menu -->
+
 <script setup lang="ts">
 definePageMeta({ layout: false });
 const route = useRoute();