Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA testing - report's inputs and usernames sanitation #3100

Closed
16 tasks done
gdiazlo opened this issue Jul 15, 2022 · 5 comments
Closed
16 tasks done

QA testing - report's inputs and usernames sanitation #3100

gdiazlo opened this issue Jul 15, 2022 · 5 comments
Assignees
@Deblintrake09
Labels
dev-testing
Milestone
Release 4.3.6 RC-1

Comments

@gdiazlo
Copy link
Member

gdiazlo commented Jul 15, 2022
edited by Deblintrake09
Loading

Target version Related issue Related PR
4.3.6 wazuh/wazuh-dashboard-plugins#4329 wazuh/wazuh-dashboard-plugins#4330

Description

We need to ensure our reports functionality work as expected in the app.

Proposed checks

  • Check API Endpoints
    • Generate report - Post modules report '/reports/modules/{moduleID}'
    • Generate Reports - Post groups report '/reports/groups/{groupID}'
    • Generate Reports - Post agents report '/reports/agents/{agentsID}'
    • Generate Reports - Post agents' inventory report '/reports/agents/{agentsID}/inventory'
    • Get reports list '/reports'
    • Get a specific report '/reports/{name}'
    • Delete a specific report '/reports/{name}'
  • Upgrading the app updates the folder layouts and reports are still accessible
  • Username schema works as expected, and backend reports about invalid names appropriately
  • old names in a migrated schema work
  • no file collision is possible for read or write

Scenarios

We need to test the following scenarios.

  • Clean install of Elastic Stack and the wazuh kibana app
  • Upgrade of an already installed wazuh kibana app on Elastic Stack
  • Clean install of wazuh-dashboard
  • Upgrade of an already installed wazuh-dashboard

Expected results

All tests passed successfully, and no new issues were found on exploratory tests.

Conclusion 🟡

New bugs have been found when testing. The bug was already present in 4.3.5. In kibana-app and dashboard.

Issues Found

New Issues
@gdiazlo gdiazlo moved this to Triage in Release 4.3.6 Jul 15, 2022
@jmv74211 jmv74211 moved this from Triage to Todo in Release 4.3.6 Jul 15, 2022
@jmv74211 jmv74211 added this to the Release 4.3.6 RC-1 milestone Jul 15, 2022
@Deblintrake09 Deblintrake09 moved this from Todo to In Progress in Release 4.3.6 Jul 15, 2022
@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jul 15, 2022
edited by jmv74211
Loading

Review data

Tester PR commit
@Deblintrake 79661e4

Testing environment

OS OS version Deployment Image/AMI Notes
Linux Centos8 LOCAL| Vagrant qactl/centos8

Tested packages

wazuh-manager wazuh-agent Kibana-app
4.3.5 - Installed from Quickstart rpm agent 4.3.5 install from documentation
4.3.6 Install script -- 4.3.6 rpm dashboard Package 4.3.6_7.17.4-1 Kibana plugin package

Status

  • In progress
  • Pending Review
  • Team leader approved
  • Manager approved

@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jul 18, 2022
edited
Loading

Test Results on kibana-app 4.3.5

Generate Reports - Post agents report /reports/agents/{agentsID} 🟢

  1. Generate Reports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post agents' inventory report /reports/agents/{agentsID}/inventory 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate reports- Post modules report /reports/modules/{moduleID} 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post groups report /reports/groups/{groupID} 🟡

  1. Create a group and assign agents to it
    imagen

  2. Generate report from Web application
    imagen

  3. Generate report hitting API endpoint with Postman

  • Generate reports with both components 🔴
    imagen

  • Generate reports with agent information only
    imagen

  • Generate reports with configuration information only 🔴
    imagen

  • Generate reports with no component information
    imagen

Note: An Issue has been opened regarding this error. Issue wazuh/wazuh-dashboard-plugins#4348

Get a users' reports list /reports 🟢

  1. View from web application 🟢
    imagen

  2. View reports from API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls ./data/wazuh/downloads/reports/elastic/
wazuh-agent-001-configuration-1658262786.pdf        wazuh-group-TestGroup-configuration-nodata.pdf
wazuh-agent-001-syscollector-1658263085.pdf         wazuh-group-TestGroup-only-agent-postman.pdf
wazuh-agent-001-syscollector-postman.pdf            wazuh-overview-general-1658263226.pdf
wazuh-group-TestGroup-configuration-1658263389.pdf  wazuh-overview-general-postman.pdf
Get (Download) a specific report /reports/{name} 🟢

  1. Download report from Web application 🟢
    imagen

  2. Download report hitting API endpoint with Postman 🟢
    imagen

Delete reports /reports/{name} 🟢

  1. Delete report from Web application 🟢
    imagen
    imagen

  2. Delete report hitting API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls ./data/wazuh/downloads/reports/elastic/
wazuh-agent-001-configuration-1658262786.pdf    wazuh-group-TestGroup-only-agent-postman.pdf
wazuh-agent-001-syscollector-1658263085.pdf     wazuh-overview-general-1658263226.pdf
wazuh-group-TestGroup-configuration-nodata.pdf
File collision is possible for read or write - Error reproduced 🔴
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
---
#
# Wazuh dashboard - App configuration file
# Copyright (C) 2015-2022 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh dashboard configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Disable roles -------------------------------
.
.
.
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
  1. Hit the endpoint from the API with postman to get file
    imagen
    • Saving response to file, and opening as plain text
      imagen
File collision is possible for read or write between users - Error is reproduced 🔴

  1. Create new user ElasticTest

  2. Create reports for user ElasticTest
    imagen

  3. Check ElasticTest reports folder and that it shows only the user's reports

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/ElasticTest/
wazuh-agent-001-configuration-1658265346.pdf  wazuh-group-TestGroup-configuration-1658265405.pdf
wazuh-agent-001-syscollector-1658265355.pdf   wazuh-overview-general-1658265389.pdf

  4. Check that the ElasticTest's reports are not present in elastic's reports folder

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/elastic/
wazuh-agent-001-configuration-1658262786.pdf    wazuh-group-TestGroup-only-agent-postman.pdf
wazuh-agent-001-syscollector-1658263085.pdf     wazuh-overview-general-1658263226.pdf
wazuh-group-TestGroup-configuration-nodata.pdf

  5. Hit the endpoint from the API with postman - Try to read from one agent's folder from the other agent (read ElasticTest files from with elastic credentials) 🔴
    imagen

  6. Hit the endpoint from the API with postman - Try to create a report inside a folder different from the agent's credentials used. (write ElasticTest files from with elastic credentials) 🔴
    imagen

Update 4.3.5 to 4.3.6 Kibana app

Upgrade to 4.3.6 and validate reports are still accessible 🟢
  1. Upgrade Dashboard and restart 
    # sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-4.3.6_7.17.4-1.zip
Attempting to transfer from https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-4.3.6_7.17.4-1.zip
Transferring 30300850 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin wazuh already exists, please remove before installing a new version
# sudo -u kibana /usr/share/kibana/bin/kibana-plugin remove wazuh
Removing wazuh...
Plugin removal complete

# sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-4.3.6_7.17.4-1.zip
Found previous install attempt. Deleting...
Attempting to transfer from https://packages-dev.wazuh.com/pre-release/ui/kibana/wazuh_kibana-4.3.6_7.17.4-1.zip
Transferring 30300850 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Plugin installation complete

# systemctl restart kibana
# systemctl status kibana
:green_circle:  kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2022-07-19 21:28:29 UTC; 26s ago
  Docs: https://www.elastic.co
Main PID: 6830 (node)
  2. Check reports for elasti and ElasticTest users 
    # ls ./data/wazuh/downloads/reports/
7f11438eba47bcaa7c48d3c2fd2ce460  e16ddaf4f91df524b27bf4f2e4b1ac09


# ls ./data/wazuh/downloads/reports/e16ddaf4f91df524b27bf4f2e4b1ac09/            **(elastic)**
wazuh-agent-001-configuration-1658262786.pdf    wazuh-group-TestGroup-only-agent-postman.pdf
wazuh-agent-001-syscollector-1658263085.pdf     wazuh-overview-general-1658263226.pdf
wazuh-group-TestGroup-configuration-nodata.pdf

# ls ./data/wazuh/downloads/reports/7f11438eba47bcaa7c48d3c2fd2ce460/    **(Elastictest)**
wazuh-agent-001-configuration-1658265346.pdf  wazuh-group-TestGroup-configuration-1658265405.pdf
wazuh-agent-001-syscollector-1658265355.pdf   wazuh-overview-general-1658265389.pdf
File collision is not possible for read or write - Error does not reproduce 🟢
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}

  1. Hit the endpoint with postman to try to get files from other agent's reports folder
    imagen
    imagen

  2. Hit the endpoint from the API with postman - Try to create a report inside a folder different from the agent's credentials used. (write ElasticTest files from with elastic credentials) 🟢
    imagen

@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jul 19, 2022
edited
Loading

Clean Install of 4.3.6 Kibana plugin

Generate Reports - Post agents report /reports/agents/{agentsID} 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post agents' inventory report /reports/agents/{agentsID}/inventory 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate reports- Post modules report /reports/modules/{moduleID} 🟢

  1. Generate Resports using Web application button - Check reports have been generated
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post groups report /reports/groups/{groupID} 🟢

  1. Create a group and assign agents to it
    imagen

  2. Generate report from Web application
    imagen

  3. Generate report hitting API endpoint with Postman

  • Generate reports with no components
    imagen

  • Generate reports with agent information
    imagen

  • Generate reports with configuration information
    imagen

  • Generate reports with configuration and agent information
    imagen

Get a users' reports list /reports 🟢

  1. View from web application 🟢
    imagen

  2. View reports from API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls ./data/wazuh/downloads/reports/81aecac270f7c064181374fcca5267a2/
wazuh-agent-configuration-001-1658249978.pdf
wazuh-agent-configuration-001-1658250091.pdf
wazuh-agent-inventory-001-1658250196.pdf
wazuh-agent-inventory-001-1658250234.pdf
wazuh-group-configuration-TestGroup-1658250435.pdf
wazuh-group-configuration-TestGroup-1658250521.pdf
wazuh-group-configuration-TestGroup-1658250574.pdf
wazuh-group-configuration-TestGroup-1658250593.pdf
wazuh-module-overview-general-1658250304.pdf
wazuh-module-overview-general-1658250338.pdf
Get (Download) a specific report /reports/{name} 🟢

  1. Download report from Web application 🟢
    imagen

  2. Download report hitting API endpoint with Postman 🟢
    imagen

Delete reports /reports/{name} 🟢

  1. Delete report from Web application 🟢
    imagen
    imagen

  2. Delete report hitting API endpoint with Postman 🟢
    imagen

  3. Check the user's report folder

    # ls ./data/wazuh/downloads/reports/81aecac270f7c064181374fcca5267a2/
wazuh-agent-configuration-001-1658249978.pdf
wazuh-agent-configuration-001-1658250091.pdf
wazuh-agent-inventory-001-1658250196.pdf
wazuh-agent-inventory-001-1658250234.pdf
wazuh-group-configuration-TestGroup-1658250435.pdf
wazuh-group-configuration-TestGroup-1658250521.pdf
wazuh-module-overview-general-1658250304.pdf
wazuh-module-overview-general-1658250338.pdf
File collision is not possible for read or write - Error does not reproduce 🟢
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}

5.- Hit the endpoint from the API with postman to write into the folder
imagen

File collision is not possible for read or write between users - Error does not reproduce 🟢

  1. Create new user ../../../../../../../../etc/passwd

  2. Create reports for user ../../../../../../../../etc/passwd
    imagen

  3. Generate reports for the default elastic user
    imagen

  4. Check elastic user reports folder and that it shows only the user's reports

    # ls ./data/wazuh/downloads/reports/e16ddaf4f91df524b27bf4f2e4b1ac09/
wazuh-agent-configuration-001-1658254455.pdf  wazuh-module-agents-001-general-1658231175.pdf
wazuh-agent-inventory-001-1658231211.pdf      wazuh-module-agents-001-general-1658254473.pdf

  5. Check that the ../../../../../../../../etc/passwd's reports are not present in admin's reports folder

    # ls ./data/wazuh/downloads/reports/81aecac270f7c064181374fcca5267a2/
wazuh-agent-configuration-001-1658249978.pdf  
wazuh-agent-inventory-001-1658250196.pdf
wazuh-group-configuration-TestGroup-1658250593.pdf 
wazuh-agent-configuration-001-1658250091.pdf 
wazuh-agent-inventory-001-1658250234.pdf   
wazuh-module-overview-general-1658250304.pdf
wazuh-agent-configuration-001-1658250145.pdf
wazuh-group-configuration-TestGroup-1658250574.pdf
wazuh-module-overview-general-1658250338.pdf

7.- Hit the endpoint from the API with postman - Try to write into one agent's folder from the other agent
imagen

@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jul 19, 2022
edited
Loading

Clean Dashboard v4.3.6 install

Generate Reports - Post agents report /reports/agents/{agentsID} 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post agents' inventory report /reports/agents/{agentsID}/inventory 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate reports- Post modules report /reports/modules/{moduleID} 🟢

  1. Generate Resports using Web application button - Check reports have been generated
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post groups report /reports/groups/{groupID} 🟡

  1. Create a group and assign agents to it
    imagen

  2. Generate report from Web application
    imagen

  3. Generate report hitting API endpoint with Postman 🟡

  • Generate reports with no components
    imagen

  • Generate reports with agent information
    imagen

  • Generate reports with no configuration information 🔴
    imagen

Note: An Issue has been opened regarding this error. Issue wazuh/wazuh-dashboard-plugins#4348

Get a users' reports list /reports 🟢

  1. View from web application 🟢
    imagen

  2. View reports from API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/21232f297a57a5a743894a0e4a801fc3/
wazuh-agent-inventory-001-1658234445.pdf
wazuh-module-agents-001-general-1658234370.pdf
wazuh-group-configuration-TestGroup1-1658235205.pdf
Get (Download) a specific report /reports/{name} 🟢

  1. Download report from Web application 🟢
    imagen

  2. Download report hitting API endpoint with Postman 🟢
    imagen

Delete reports /reports/{name} 🟢

  1. Delete report from Web application 🟢
    imagen

  2. Delete report hitting API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/21232f297a57a5a743894a0e4a801fc3/
wazuh-agent-inventory-001-1658234445.pdf
File collision is not possible for read or write - Error does not reproduce 🟢
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}

5.- Hit the endpoint from the API with postman to write into the folder
imagen
imagen

File collision is not possible for read or write between users - Error does not reproduce 🟢

  1. Create new user ../../../../../../../../etc/passwd

  2. Create reports for user ../../../../../../../../etc/passwd
    imagen

  3. Check user reports folder and that it shows only the user's reports

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/81aecac270f7c064181374fcca5267a2/
wazuh-agent-inventory-001-1658247006.pdf             wazuh-module-agents-001-general-1658246994.pdf
wazuh-group-configuration-TestGroup1-1658247020.pdf  wazuh-module-overview-general-1658246979.pdf

  4. Check that the ../../../../../../../../etc/passwd's reports are not present in admin's reports folder

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/21232f297a57a5a743894a0e4a801fc3/
wazuh-agent-inventory-001-1658234445.pdf  wazuh-group-configuration-TestGroup-1658241177.pdf
wazuh-agent-inventory-001-1658240271.pdf  wazuh-group-configuration-TestGroup-1658241236.pdf

7.- Hit the endpoint from the API with postman - Try to write into one agent's folder from the other agent
imagen

@Deblintrake09 Deblintrake09 mentioned this issue Jul 19, 2022
Closed
@Deblintrake09
Copy link
Contributor

Deblintrake09 commented Jul 19, 2022
edited
Loading

Tests on Dashboard v4.3.5 install

Generate Reports - Post agents report /reports/agents/{agentsID} 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post agents' inventory report /reports/agents/{agentsID}/inventory 🟢

  1. Generate Resports using Web application button
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate reports- Post modules report /reports/modules/{moduleID} 🟢

  1. Generate Resports using Web application button - Check reports have been generated
    imagen

  2. Generate report from API endpoint with Postman
    imagen

Generate Reports - Post groups report /reports/groups/{groupID} 🟢

  1. Create a group and assign agents to it
    imagen

  2. Generate report from Web application
    imagen

  3. Generate report hitting API endpoint with Postman

  • Generate reports with both components
    imagen

  • Generate reports with agent information only
    imagen

  • Generate reports with configuration information only
    imagen

  • Generate reports with no component information
    imagen

Get a users' reports list /reports 🟢

  1. View from web application 🟢
    imagen

  2. View reports from API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/admin/
wazuh-agent-001-configuration-1658255962.pdf
wazuh-agent-001-configuration-1658256051.pdf
wazuh-agent-001-syscollector-1658256292.pdf
wazuh-group-TestGroup-configuration-1658256954.pdf
wazuh-group-TestGroup-configuration-postman.pdf
wazuh-overview-general-1658256490.pdf
wazuh-overview-general-1658256831.pdf
Get (Download) a specific report /reports/{name} 🟢

  1. Download report from Web application 🟢
    imagen

  2. Download report hitting API endpoint with Postman 🟢
    imagen

Delete reports /reports/{name} 🟢

  1. Delete report from Web application 🟢
    imagen
    imagen

  2. Delete report hitting API endpoint with Postman 🟢
    imagen

  3. Check the report's folder location

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/admin/
wazuh-agent-001-configuration-1658255962.pdf
wazuh-agent-001-configuration-1658256051.pdf
wazuh-agent-001-syscollector-1658256292.pdf
wazuh-group-TestGroup-configuration-1658256954.pdf
wazuh-overview-general-1658256490.pdf
File collision is possible for read or write - Error reproduced 🔴
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
---
#
# Wazuh dashboard - App configuration file
# Copyright (C) 2015-2022 Wazuh, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Find more information about this on the LICENSE file.
#
# ======================== Wazuh dashboard configuration file ========================
#
# Please check the documentation for more information on configuration options:
# https://documentation.wazuh.com/current/installation-guide/index.html
#
# Also, you can check our repository:
# https://github.com/wazuh/wazuh-kibana-app
#
# ------------------------------- Disable roles -------------------------------
.
.
.
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
  1. Hit the endpoint from the API with postman to get file
    imagen
  • Saving response to file, and opening as plain text
    imagen
File collision is possible for read or write between users - Error reproduced 🔴

  1. Create new user TestUser1

  2. Create reports for user TestUser1
    imagen

  3. Check TestUser1 reports folder and that it shows only the user's reports

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/TestUser1/
wazuh-agent-001-configuration-1658259456.pdf
wazuh-agent-001-general-1658260354.pdf
wazuh-agent-001-syscollector-1658259446.pdf
wazuh-overview-general-1658260339.pdf

  4. Check that the TestUser1's reports are not present in admin's reports folder

    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/admin/
wazuh-agent-001-configuration-1658255962.pdf  wazuh-group-TestGroup-configuration-1658256954.pdf
wazuh-agent-001-configuration-1658256051.pdf  wazuh-overview-general-1658256490.pdf
wazuh-agent-001-syscollector-1658256292.pdf

  5. Hit the endpoint from the API with postman - Try to read from one agent's folder from the other agent (read TestUser1 files from with admins credentials) 🔴
    imagen

  6. Hit the endpoint from the API with postman - Try to create a report inside a folder different from the agent's credentials used. (write ElasticTest files from with elastic credentials) 🔴
    imagen

Update 4.3.5 Dashboard to 4.3.6 🟢

Upgrade to 4.3.6 and validate reports are still accessible 🟢
  1. Upgrade Dashboard and restart 
      Verificando         : wazuh-dashboard-4.3.6-1.x86_64                                                  1/2 
  Verificando         : wazuh-dashboard-4.3.5-1.x86_64                                                  2/2 

 Actualizado:
wazuh-dashboard-4.3.6-1.x86_64                                                                            

¡Listo!
# systemctl restart wazuh-dashboard
# systemctl status wazuh-dashboard
● wazuh-dashboard.service - wazuh-dashboard
   Loaded: loaded (/etc/systemd/system/wazuh-dashboard.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-07-19 20:05:33 UTC; 1min 29s ago
 Main PID: 10204 (node)
  2. Check reports for admin and TestUser1 users 
    # ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/
21232f297a57a5a743894a0e4a801fc3/ d5537295be1d5a93bfe54f8992d06bda/ 

# ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/21232f297a57a5a743894a0e4a801fc3/    (admin)
wazuh-agent-001-configuration-1658255962.pdf  wazuh-group-TestGroup-configuration-1658256954.pdf
wazuh-agent-001-configuration-1658256051.pdf  wazuh-overview-general-1658256490.pdf
wazuh-agent-001-syscollector-1658256292.pdf

# ls /usr/share/wazuh-dashboard/data/wazuh/downloads/reports/d5537295be1d5a93bfe54f8992d06bda/   (TestUser1)
wazuh-agent-001-configuration-1658259456.pdf  wazuh-agent-001-syscollector-1658259446.pdf
wazuh-agent-001-general-1658260354.pdf        wazuh-overview-general-1658260339.pdf
File collision is not possible for read or write - Error does not reproduce 🟢
  1. hit reports endpoint with invalid username, to read data from another folder
curl -k https://localhost/reports/..%2f..%2f..%2fconfig%2Fwazuh.yml -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}
  1. Hit another endpoint to check results
# curl -k https://localhost/reports/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2Fpasswd -u admin:<UserPassword>
{"statusCode":400,"error":"Bad Request","message":"[request params.name]: must be A-z, 0-9, _, ., and - are allowed. It must end with .pdf."}

  1. Hit the endpoint with postman to try to get files from other agent's reports folder
    imagen
    imagen

  2. Hit the endpoint with postman to generate a report inside the other agent's reports folder
    imagen

@jmv74211 jmv74211 moved this from In Progress to In Review in Release 4.3.6 Jul 20, 2022
Repository owner moved this from In Review to Done in Release 4.3.6 Jul 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Deblintrake09 Deblintrake09

Labels
dev-testing
Projects
No open projects
Release 4.3.6
Status: Done
Milestone
Release 4.3.6 RC-1
Development

No branches or pull requests
4 participants
@gdiazlo @Deblintrake09 @jmv74211 @davidjiglesias