security: cure53 fix (#6039)

* ATH-01-001: resolve path and check start before loading blueprints This is even less of an issue since 411ef239f6, since with that commit we only allow files that the listing returns Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: fix missing user filter for webauthn device This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it. * ATH-01-008: fix web forms not submitting correctly when pressing enter When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user. * ATH-01-004: remove env from admin system endpoint this endpoint already required admin access, but for debugging the env variables are used very little Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-005: use hmac.compare_digest for secret_key authentication Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-009: migrate impersonation to use API Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-010: rework Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-014: save authenticator validation state in flow context Signed-off-by: Jens Langhammer <jens@goauthentik.io> bugfixes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * ATH-01-012: escape quotation marks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add website Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update release ntoes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update with all notes Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix format Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-06-22 22:25:04 +02:00
parent f099bd764e
commit b0fbd576fc
39 changed files with 505 additions and 329 deletions
--- a/web/src/elements/forms/Form.ts
+++ b/web/src/elements/forms/Form.ts
@ -283,9 +283,23 @@ export abstract class Form<T> extends AKElement {
    }

    renderForm(): TemplateResult {
+        const inline = this.renderInlineForm();
+        if (inline) {
+            return html`<form class="pf-c-form pf-m-horizontal" @submit=${this.submit}>
+                ${inline}
+            </form>`;
+        }
        return html`<slot></slot>`;
    }

+    /**
+     * Inline form render callback when inheriting this class, should be overwritten
+     * instead of `this.renderForm`
+     */
+    renderInlineForm(): TemplateResult | undefined {
+        return undefined;
+    }
+
    renderNonFieldErrors(): TemplateResult {
        if (!this.nonFieldErrors) {
            return html``;