v0.9.3

* user graph on /event plot * clickable countries on svg map * improve /blacklist management * index.php in all subdirs to prevent directory listing * force utf-8 sensor input
TirrenoTechnologies · Feb 3, 2025 · 90b5806 · 90b5806
1 parent b9bfa22
commit 90b5806
Show file tree

Hide file tree

Showing 135 changed files with 504 additions and 65 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Tirreno Changelog
 
+## Tirreno v0.9.3
+
+* user graph on /event plot
+* clickable countries on svg map
+* improve /blacklist management
+* index.php in all subdirs to prevent directory listing
+* force utf-8 sensor input
+
 ## Tirreno v0.9.2
 
 * XSS vulnerability patch

diff --git a/LEGALNOTICE → LEGALNOTICE.md b/LEGALNOTICE → LEGALNOTICE.md
diff --git a/README.md b/README.md
@@ -63,13 +63,13 @@ The idea for Tirreno arose from a challenge: an online platform was in need of a
 
 While building Tirreno, we concentrated on **privacy**, **trust**, and true **sovereignty**. As a result, we have built Tirreno in a secure and independent manner. The application does not have a long list of development dependencies, nor does it rely on heavy frameworks. This approach minimizes the potential attack surface.
 
-### Why the name Tirreno?
+### Why the name tirreno?
 
 History suggests that the Tyrrhenian people may have lived in Tuscany and eastern Switzerland as far back as 800 BC. The term "Tyrrhenian” became more commonly associated with the Etruscans, and it is from them that the Tyrrhenian Sea derives its name — a name still in use today. This name is believed to be an exonym, possibly meaning “tower”.
 
 While working on the logo, we conducted our own historical study and traced mentions of 'tirreno' back to the 15th-century printed edition of the Vulgate (the Latin Bible). We kept it lowercase to stay true to the original — quite literally, by the book.
 
-The tirreno wordmark, positioned beyond a horizon line, as a metaphor for the constant evolution of the cybersecurity landscape and our commitment to staying ahead of these never-ending changes.
+The tirreno wordmark, positioned beyond a horizon line, as a metaphor for the constant evolution of the fraud landscape and our commitment to staying ahead of change.
 
 ## Links
 

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,15 +1,7 @@
-Release song: https://youtu.be/8hYgxwmHbxA
+Release song: https://youtu.be/bcxnbfRYM-g
 
-Important security update: tirreno v0.9.2.
+Tirreno is announcing version v0.9.3.
 
-Today, we received a report from IT security expert Sandro Bauer regarding
-an XSS vulnerability in Tirreno. After receiving the report, we confirmed
-receipt and immediately reproduced the problem, developing a patch the same
-day. Briefly, the XSS vulnerability potentially allows attackers to post
-malicious scripts by sending them through a payload. However, it's important
-to clarify that the Tirreno platform does not directly receive user event data,
-as it must come from the main web application, which we expect to be trustworthy.
-Another aspect that makes it difficult to exploit this vulnerability is the
-truncation of all data displayed in the dashboard.
-
-The Tirreno team highly appreciates Sandro's report and help in maintaining Tirreno's application security.
+This update improves visualization of the 'events' graph by introducing user correlation vs.
+events for the selected time period, makes countries on maps clickable, improves sensor
+security by enforcing UTF-8 encoding, and includes some minor fixes.
diff --git a/app/Controllers/Admin/Api/index.php b/app/Controllers/Admin/Api/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Blacklist/index.php b/app/Controllers/Admin/Blacklist/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Bot/index.php b/app/Controllers/Admin/Bot/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Bots/index.php b/app/Controllers/Admin/Bots/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Context/index.php b/app/Controllers/Admin/Context/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Countries/index.php b/app/Controllers/Admin/Countries/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Country/index.php b/app/Controllers/Admin/Country/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Data/index.php b/app/Controllers/Admin/Data/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Devices/index.php b/app/Controllers/Admin/Devices/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Domain/index.php b/app/Controllers/Admin/Domain/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Domains/index.php b/app/Controllers/Admin/Domains/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Emails/index.php b/app/Controllers/Admin/Emails/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Enrichment/index.php b/app/Controllers/Admin/Enrichment/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Events/index.php b/app/Controllers/Admin/Events/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Home/index.php b/app/Controllers/Admin/Home/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/IP/index.php b/app/Controllers/Admin/IP/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/IPs/index.php b/app/Controllers/Admin/IPs/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/ISP/index.php b/app/Controllers/Admin/ISP/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/ISPs/index.php b/app/Controllers/Admin/ISPs/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Logbook/index.php b/app/Controllers/Admin/Logbook/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/ManualCheck/index.php b/app/Controllers/Admin/ManualCheck/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Payloads/index.php b/app/Controllers/Admin/Payloads/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Phones/index.php b/app/Controllers/Admin/Phones/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Resource/index.php b/app/Controllers/Admin/Resource/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Resources/index.php b/app/Controllers/Admin/Resources/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/ReviewQueue/index.php b/app/Controllers/Admin/ReviewQueue/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Rules/index.php b/app/Controllers/Admin/Rules/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Search/index.php b/app/Controllers/Admin/Search/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Settings/index.php b/app/Controllers/Admin/Settings/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Totals/index.php b/app/Controllers/Admin/Totals/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/User/Data.php b/app/Controllers/Admin/User/Data.php
@@ -165,7 +165,7 @@ public function addToBlacklistQueue(int $accountId, bool $fraud): void {
             }
         }
 
-        if (!$apiKey->skip_blacklist_sync && !$inQueue && $fraud) {
+        if (!$inQueue && $fraud) {
             $accountOperationQueueModel->add($accountId, $apiKey->id);
         }
 

diff --git a/app/Controllers/Admin/User/index.php b/app/Controllers/Admin/User/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/UserDetails/index.php b/app/Controllers/Admin/UserDetails/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Users/index.php b/app/Controllers/Admin/Users/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/Watchlist/index.php b/app/Controllers/Admin/Watchlist/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Admin/index.php b/app/Controllers/Admin/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/Pages/index.php b/app/Controllers/Pages/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Controllers/index.php b/app/Controllers/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Crons/BlacklistQueueHandler.php b/app/Crons/BlacklistQueueHandler.php
@@ -48,9 +48,8 @@ protected function processItem(array $item): void {
 
         $model = new \Models\ApiKeys();
         $model->getKeyById($item['key']);
-        $skipBlacklistSync = $model->skip_blacklist_sync;
 
-        $errorMessage = $skipBlacklistSync ? $this->sendBlacklistReportPostRequest($creator, $hashes) : '';
+        $errorMessage = $model->skip_blacklist_sync ? $this->sendBlacklistReportPostRequest($creator, $hashes) : '';
         if (strlen($errorMessage) > 0) {
             // Log error to database
             \Utils\Logger::log('Fraud enrichment API curl error', $errorMessage);

diff --git a/app/Crons/SynchroniseBlacklist.php b/app/Crons/SynchroniseBlacklist.php
@@ -41,8 +41,15 @@ public function synchroniseBlacklist(): void {
 
                 // use different access keys for email lists grouped by apiKey
                 foreach ($groupedEmails as $key => $items) {
-                    $subscriptionKey = $model->getKeyById($key)->token;
+                    $keyModel = $model->getKeyById($key);
+                    if ($keyModel->skip_blacklist_sync) {
+                        $this->log(sprintf('Skip synchronising blacklist for key %s.', strval($key)));
+                        continue;
+                    }
+
+                    $subscriptionKey = $keyModel->token;
                     if ($subscriptionKey === null) {
+                        $this->log(sprintf('Skip synchronising blacklist for key %s due to missing subscription key.', strval($key)));
                         continue;
                     }
 

diff --git a/app/Crons/index.php b/app/Crons/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Dictionary/en/Additional/index.php b/app/Dictionary/en/Additional/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Dictionary/en/Pages/index.php b/app/Dictionary/en/Pages/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Dictionary/en/Parts/index.php b/app/Dictionary/en/Parts/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Dictionary/en/index.php b/app/Dictionary/en/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Dictionary/index.php b/app/Dictionary/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Interfaces/index.php b/app/Interfaces/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Api/index.php b/app/Models/Api/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Chart/Events.php b/app/Models/Chart/Events.php
@@ -23,15 +23,17 @@ public function getData(int $apiKey): array {
 
         $ox = array_column($data, 'ts');
         $l1 = array_column($data, 'event_count');
+        $l2 = array_column($data, 'users_count');
 
-        return $this->addEmptyDays([$ox, $l1]);
+        return $this->addEmptyDays([$ox, $l1, $l2]);
     }
 
     private function getFirstLine(int $apiKey): array {
         $query = (
             'SELECT
                 EXTRACT(EPOCH FROM date_trunc(:resolution, event.time + :offset))::bigint AS ts,
-                COUNT(event.id) AS event_count
+                COUNT(event.id) AS event_count,
+                COUNT(DISTINCT event.account) AS users_count
 
             FROM
                 event

diff --git a/app/Models/Chart/index.php b/app/Models/Chart/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Context/index.php b/app/Models/Context/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Enrichment/index.php b/app/Models/Enrichment/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Base/index.php b/app/Models/Grid/Base/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Blacklist/Grid.php b/app/Models/Grid/Blacklist/Grid.php
@@ -27,4 +27,10 @@ public function __construct(int $apiKey) {
     public function getAllBlacklistedItems(): array {
         return $this->getGrid();
     }
+
+    protected function convertTimeToUserTimezone(array &$result): void {
+        $fields = ['created'];
+
+        $this->translateTimeZones($result, $fields);
+    }
 }
diff --git a/app/Models/Grid/Blacklist/index.php b/app/Models/Grid/Blacklist/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Bots/index.php b/app/Models/Grid/Bots/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Countries/index.php b/app/Models/Grid/Countries/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Devices/index.php b/app/Models/Grid/Devices/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Domains/index.php b/app/Models/Grid/Domains/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Emails/index.php b/app/Models/Grid/Emails/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Events/index.php b/app/Models/Grid/Events/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Ips/index.php b/app/Models/Grid/Ips/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Isps/index.php b/app/Models/Grid/Isps/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Logbook/index.php b/app/Models/Grid/Logbook/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Payloads/index.php b/app/Models/Grid/Payloads/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Phones/index.php b/app/Models/Grid/Phones/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Resources/index.php b/app/Models/Grid/Resources/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/ReviewQueue/index.php b/app/Models/Grid/ReviewQueue/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/Users/index.php b/app/Models/Grid/Users/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Grid/index.php b/app/Models/Grid/index.php
@@ -0,0 +1,3 @@
+<?php
+
+//
diff --git a/app/Models/Ip.php b/app/Models/Ip.php
@@ -212,7 +212,7 @@ public function updateTotalsByEntityIds(array $ids, int $apiKey, bool $force = f
             "UPDATE event_ip
             SET
                 total_visit = COALESCE(sub.total_visit, 0),
-                shared = COALESCE(sub.shared, 0),
+                shared = COALESCE(sub.shared, 1),
                 updated = date_trunc('milliseconds', now())
             FROM (
                 SELECT
@@ -257,7 +257,7 @@ public function updateTotalsByAccountIds(array $ids, int $apiKey): int {
             "UPDATE event_ip
             SET
                 total_visit = COALESCE(sub.total_visit, 0),
-                shared = COALESCE(sub.shared, 0),
+                shared = COALESCE(sub.shared, 1),
                 updated = date_trunc('milliseconds', now())
             FROM (
                 SELECT
-Original file line number
+Diff line change
@@ Expand Up @@
                 }
             }
-            if (!$apiKey->skip_blacklist_sync && !$inQueue && $fraud) {
+            if (!$inQueue && $fraud) {
                 $accountOperationQueueModel->add($accountId, $apiKey->id);
             }
@@ Expand Down @@