[ADD] Added user safeguard against protected fields

dfir-iris · Dec 9, 2024 · 01611e2 · 01611e2
1 parent db60762
commit 01611e2
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/source/app/datamgmt/alerts/alerts_db.py b/source/app/datamgmt/alerts/alerts_db.py
@@ -59,6 +59,17 @@
     'iocs': Ioc
 }
 
+RESTRICTED_USER_FIELDS = {
+    'password',
+    'mfa_secrets',
+    'webauthn_credentials',
+    'api_key',
+    'external_id',
+    'ctx_case',
+    'ctx_human_case',
+    'is_service_account'
+}
+
 
 def db_list_all_alerts():
     """
@@ -68,8 +79,6 @@ def db_list_all_alerts():
 
 
 def build_condition(column, operator, value):
-    # If 'column' is actually a relationship (e.g., Alert.owner),
-    # we need to find the corresponding foreign key column or raise an error.
     if hasattr(column, 'property') and hasattr(column.property, 'local_columns'):
         # It's a relationship attribute
         fk_cols = list(column.property.local_columns)
@@ -265,6 +274,11 @@ def get_filtered_alerts(
                 if relationship_name not in relationship_model_map:
                     raise ValueError(f"Unknown relationship: {relationship_name}")
 
+                if related_field_name in RESTRICTED_USER_FIELDS:
+                    app.logger.error(f"Access to the field '{related_field_name}' is restricted.")
+                    app.logger.error(f"Suspicious behavior detected for user {current_user.id} - {current_user.user}.")
+                    continue
+
                 related_model = relationship_model_map[relationship_name]
 
                 # Join the relationship if not already joined

diff --git a/source/app/static/assets/js/iris/alerts.js b/source/app/static/assets/js/iris/alerts.js
@@ -2183,6 +2183,8 @@ $(document).ready(function () {
                     { caption: '"field": "alert_resolution_id"', value: '"field": "alert_resolution_id"', meta: "field" },
                     { caption: '"operator": "in"', value: '"operator": "in"', meta: "operator" },
                     { caption: '"operator": "not_in"', value: '"operator": "not_in"', meta: "operator" },
+                    { caption: '"operator": "eq"', value: '"operator": "eq"', meta: "operator" },
+                    { caption: '"operator": "like"', value: '"operator": "like"', meta: "operator" },
                     { caption: '"value": [1]', value: '"value": [1]', meta: "value" }
                 ];