cisagov#758; Work in Progress for google threat intelligence

mmguero · mmguero · commit 9eb37ffebe12 · 2025-09-11T16:40:02.000Z
diff --git a/dashboards/scripts/index-refresh.py b/dashboards/scripts/index-refresh.py
@@ -403,9 +403,9 @@ def main():
                         'urlTemplate'
                     ] = f'{args.netboxUrl}/search/?q={{{{value}}}}&obj_types=dcim.site&lookup=iexact'
 
-                # TODO: this doesn't actually work, because it has to be relative to the dashboards app...
-                # elif field['name'].endswith('.reference'):
-                #     fieldFormatInfo['params']['urlTemplate'] = '{{value}}'
+                elif field['name'].endswith('.reference'):
+                    # TODO: this doesn't actually work, because it has to be relative to the dashboards app...
+                    fieldFormatInfo['params']['urlTemplate'] = '/refred/{{value}}'
 
                 elif field['name'] == 'zeek.files.extracted_uri':
                     fieldFormatInfo['params']['urlTemplate'] = '/{{value}}'
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -159,7 +159,6 @@ http {
       include /etc/nginx/nginx_proxy_forward_headers.conf;
     }
 
-
     # extracted file download
     location ~* ^/extracted-files\b(.*) {
       include /etc/nginx/nginx_auth_rt.conf;
@@ -232,6 +231,61 @@ http {
       include /etc/nginx/nginx_proxy_forward_headers.conf;
     }
 
+    # references (like from virustotal, etc.) to redirect to external site
+    #   (because Dashboards is prepending its own prefix, we have to handle it)
+    location /dashboards/app/refred/ {
+      content_by_lua_block {
+        local ngx = ngx
+
+        -- Get everything after the prefix
+        local raw_url = ngx.var.uri:sub(#"/dashboards/app/refred/" + 1)
+
+        -- Decode any URL-encoded characters
+        local decoded_url = ngx.unescape_uri(raw_url)
+
+        -- Fix missing slash after http:/ or https:/ (if nginx collapsed it)
+        decoded_url = decoded_url:gsub("^(https?:)/([^/])", "%1//%2")
+
+        -- Append the original query string if present
+        if ngx.var.args and #ngx.var.args > 0 then
+            if decoded_url:find("?", 1, true) then
+                decoded_url = decoded_url .. "&" .. ngx.var.args
+            else
+                decoded_url = decoded_url .. "?" .. ngx.var.args
+            end
+        end
+
+        -- Safety check: only allow http or https
+        if not decoded_url:match("^https?://") then
+            ngx.status = ngx.HTTP_BAD_REQUEST
+            ngx.say("Invalid URL: " .. decoded_url)
+            return ngx.exit(ngx.HTTP_BAD_REQUEST)
+        end
+
+        -- Serve a small HTML page with JS confirmation for external redirect
+        ngx.header.content_type = "text/html"
+        ngx.say([[
+            <!DOCTYPE html>
+            <html>
+            <head>
+                <meta charset="UTF-8">
+                <title>Redirecting...</title>
+            </head>
+            <body>
+                <script>
+                    if (confirm("You are being redirected to an external site. Continue?")) {
+                        window.location.href = "]] .. decoded_url .. [[";
+                    } else {
+                        window.history.back();
+                    }
+                </script>
+                <p><a href="]] .. decoded_url .. [[">Click here</a> to be redirected to <br>]] .. decoded_url .. [[</p>
+            </body>
+            </html>
+        ]])
+      }
+    }
+
     # OpenSearch dashboards (or Kibana)
     location /dashboards {
       include /etc/nginx/nginx_dashboards_rewrite_rt.conf;
diff --git a/nginx/nginx_readonly.conf b/nginx/nginx_readonly.conf
@@ -216,6 +216,61 @@ http {
       include /etc/nginx/nginx_proxy_forward_headers.conf;
     }
 
+    # references (like from virustotal, etc.) to redirect to external site
+    #   (because Dashboards is prepending its own prefix, we have to handle it)
+    location /dashboards/app/refred/ {
+      content_by_lua_block {
+        local ngx = ngx
+
+        -- Get everything after the prefix
+        local raw_url = ngx.var.uri:sub(#"/dashboards/app/refred/" + 1)
+
+        -- Decode any URL-encoded characters
+        local decoded_url = ngx.unescape_uri(raw_url)
+
+        -- Fix missing slash after http:/ or https:/ (if nginx collapsed it)
+        decoded_url = decoded_url:gsub("^(https?:)/([^/])", "%1//%2")
+
+        -- Append the original query string if present
+        if ngx.var.args and #ngx.var.args > 0 then
+            if decoded_url:find("?", 1, true) then
+                decoded_url = decoded_url .. "&" .. ngx.var.args
+            else
+                decoded_url = decoded_url .. "?" .. ngx.var.args
+            end
+        end
+
+        -- Safety check: only allow http or https
+        if not decoded_url:match("^https?://") then
+            ngx.status = ngx.HTTP_BAD_REQUEST
+            ngx.say("Invalid URL: " .. decoded_url)
+            return ngx.exit(ngx.HTTP_BAD_REQUEST)
+        end
+
+        -- Serve a small HTML page with JS confirmation for external redirect
+        ngx.header.content_type = "text/html"
+        ngx.say([[
+            <!DOCTYPE html>
+            <html>
+            <head>
+                <meta charset="UTF-8">
+                <title>Redirecting...</title>
+            </head>
+            <body>
+                <script>
+                    if (confirm("You are being redirected to an external site. Continue?")) {
+                        window.location.href = "]] .. decoded_url .. [[";
+                    } else {
+                        window.history.back();
+                    }
+                </script>
+                <p><a href="]] .. decoded_url .. [[">Click here</a> to be redirected to <br>]] .. decoded_url .. [[</p>
+            </body>
+            </html>
+        ]])
+      }
+    }
+
     # OpenSearch dashboards (or Kibana)
     location /dashboards {
       include /etc/nginx/nginx_dashboards_rewrite_rt.conf;
