Add public_red option and enforce TLP search rules

conf/default/web.conf.default

@@ -70,6 +70,7 @@ reprocess_failed_processing = no
 url_splitter = ,
 # Limit number of files extracted from archive in demux.py
 demux_files_limit = 10
+public_searches = yes
 
 # ratelimit for anon users
 [ratelimit]
@@ -123,6 +124,8 @@ package = edge
 # TLP markings on submission and webgui
 [tlp]
 enabled = no
+# Should TLP: RED tasks be searchable by other users?
+public_red = yes
 
 #AMSI dump submission checkbox: can be useful to disable if no Win10+ instances
 #(amsidump is enabled by default in the monitor for Win10+)

lib/cuckoo/common/web_utils.py

@@ -1308,6 +1308,30 @@ def validate_task_by_path(tid):
 )
 
 
+def _build_es_user_filter(privs: bool, user_id: int):
+    user_filter = None
+    if not privs:
+        if force_bool(web_cfg.general.get("public_searches", True)):
+            if not force_bool(web_cfg.tlp.get("public_red", False)):
+                shoulds = [{"bool": {"must_not": [{"terms": {"info.tlp": ["red", "Red", "RED"]}}]}}]
+                if user_id:
+                    shoulds.append({"term": {"info.user_id": user_id}})
+                else:
+                    shoulds.append({"bool": {"must_not": {"exists": {"field": "info.user_id"}}}})
+                user_filter = {
+                    "bool": {
+                        "should": shoulds,
+                        "minimum_should_match": 1
+                    }
+                }
+        else:
+            if user_id:
+                user_filter = {"term": {"info.user_id": user_id}}
+            else:
+                user_filter = {"bool": {"must_not": {"exists": {"field": "info.user_id"}}}}
+    return user_filter
+
+
 def perform_search(
     term: str, value: str, search_limit: int = 0, user_id: int = 0, privs: bool = False, web: bool = True, projection: dict = None
 ):
@@ -1328,6 +1352,10 @@ def perform_search(
     """
     if repconf.mongodb.enabled and repconf.elasticsearchdb.enabled and essearch and not term:
         multi_match_search = {"query": {"multi_match": {"query": value, "fields": ["*"]}}}
+        if not privs:
+            user_filter = _build_es_user_filter(privs, user_id)
+            if user_filter:
+                multi_match_search = {"query": {"bool": {"must": [{"multi_match": {"query": value, "fields": ["*"]}}], "filter": [user_filter]}}}
         numhits = es.search(index=get_analysis_index(), body=multi_match_search, size=0)["hits"]["total"]
         return [
             d["_source"]
@@ -1421,9 +1449,18 @@ def perform_search(
                 {"$unwind": "$task_doc"},
                 # Stage 8: Make the task doc the new root
                 {"$replaceRoot": {"newRoot": "$task_doc"}},
-                # Stage 9: Add your custom projection
-                {"$project": projection or perform_search_filters},
             ]
+
+            if not privs:
+                if force_bool(web_cfg.general.get("public_searches", True)):
+                    if not force_bool(web_cfg.tlp.get("public_red", False)):
+                        pipeline.append({"$match": {"$or": [{"info.tlp": {"$nin": ["red", "Red", "RED"]}}, {"info.user_id": user_id}]}})
+                else:
+                    pipeline.append({"$match": {"info.user_id": user_id}})
+
+            # Stage 9: Add your custom projection
+            pipeline.append({"$project": projection or perform_search_filters})
+
             retval = list(mongo_aggregate(FILES_COLL, pipeline))
             if not retval:
                 return []
@@ -1444,6 +1481,19 @@ def perform_search(
                 projection[f"target.file.{FILE_REF_KEY}"] = 1
             if term in search_term_map_repetetive_blocks:
                 mongo_search_query = {"$or": [{path: condition} for path, condition in mongo_search_query.items()]}
+
+            if not privs:
+                if force_bool(web_cfg.general.get("public_searches", True)):
+                    if not force_bool(web_cfg.tlp.get("public_red", False)):
+                        mongo_search_query = {
+                            "$and": [
+                                mongo_search_query,
+                                {"$or": [{"info.tlp": {"$nin": ["red", "Red", "RED"]}}, {"info.user_id": user_id}]}
+                            ]
+                        }
+                else:
+                    mongo_search_query["info.user_id"] = user_id
+
             retval = list(mongo_find("analysis", mongo_search_query, projection, limit=search_limit))
 
         for doc in retval:
@@ -1453,13 +1503,20 @@ def perform_search(
         return retval
 
     if es_as_db:
-        _source_fields = list(perform_search_filters.keys())[:-1]
+        _source_fields = list((projection or perform_search_filters).keys())[:-1]
+
+        user_filter = _build_es_user_filter(privs, user_id)
+
         if isinstance(search_term_map[term], str):
             q = {"query": {"match": {search_term_map[term]: value}}}
+            if user_filter:
+                q = {"query": {"bool": {"must": [q["query"]], "filter": [user_filter]}}}
             return [d["_source"] for d in es.search(index=get_analysis_index(), body=q, _source=_source_fields)["hits"]["hits"]]
         else:
             queries = [{"match": {search_term: value}} for search_term in search_term_map[term]]
             q = {"query": {"bool": {"should": queries, "minimum_should_match": 1}}}
+            if user_filter:
+                q["query"]["bool"]["filter"] = [user_filter]
             return [d["_source"] for d in es.search(index=get_analysis_index(), body=q, _source=_source_fields)["hits"]["hits"]]