patched-codes · patched-admin · Jun 25, 2024 · Jun 25, 2024 · Jun 25, 2024 · Jun 25, 2024
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
   web:
     build: .
     image: pygoat/pygoat
@@ -20,10 +23,16 @@ services:
     depends_on:
       - migration
       - db
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
   migration:
     image: pygoat/pygoat
     command: python pygoat/manage.py migrate --noinput
     volumes:
       - .:/app
     depends_on:
       - db
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
diff --git a/introduction/apis.py b/introduction/apis.py
@@ -58,6 +58,8 @@ def ssrf_code_checker(request):
 
 @csrf_exempt
 # @authentication_decorator
+import os
+
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
@@ -66,28 +68,30 @@ def log_function_checker(request):
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
-        f = open(log_filename,"w")
-        f.write(log_code)
-        f.close()
-        f = open(api_filename,"w")
-        f.write(api_code)
-        f.close()
+
+        with open(log_filename, "w") as f:
+            f.write(log_code)
+
+        with open(api_filename, "w") as f:
+            f.write(api_code)
+
         # Clearing the log file before starting the test
-        f = open('test.log', 'w')
-        f.write("")
-        f.close()
+        with open('test.log', 'w') as f:
+            f.write("")
+
         url = "http://127.0.0.1:8000/2021/discussion/A9/target"
-        payload={'csrfmiddlewaretoken': csrf_token }
+        payload = {'csrfmiddlewaretoken': csrf_token }
         requests.request("GET", url)
         requests.request("POST", url)
         requests.request("PATCH", url, data=payload)
         requests.request("DELETE", url)
-        f = open('test.log', 'r')
-        lines = f.readlines()
-        f.close()
-        return JsonResponse({"message":"success", "logs": lines},status = 200)
+
+        with open('test.log', 'r') as f:
+            lines = f.readlines()
+
+        return JsonResponse({"message": "success", "logs": lines}, status = 200)
     else:
-        return JsonResponse({"message":"method not allowed"},status = 405)
+        return JsonResponse({"message": "method not allowed"}, status = 405)
 
 #a7 codechecking api
 @csrf_exempt
@@ -128,11 +132,14 @@ def A6_disscussion_api_2(request):
         return JsonResponse({"message":"method not allowed"},status = 405)
     try:
         code = request.POST.get('code')
-        dirname = os.path.dirname(__file__)
-        filename = os.path.join(dirname, "playground/A6/utility.py")
-        f = open(filename,"w")
-        f.write(code)
-        f.close()
-    except:
-        return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
+        if code:
+            code = code[:1024]  # Limit input to prevent excessive file size
+            dirname = os.path.dirname(__file__)
+            filename = os.path.join(dirname, "playground/A6/utility.py")
+            with open(filename, "w") as f:
+                f.write(code)
+        else:
+            return JsonResponse({"message":"missing code"},status = 400)
+    except Exception as e:
+        return JsonResponse({"message":"error writing to file"},status = 500)
+    return JsonResponse({"message":"success"},status = 200)
diff --git a/introduction/mitre.py b/introduction/mitre.py
@@ -152,34 +152,44 @@ def mitre_top25(request):
         return render(request, 'mitre/mitre_top25.html')
 
 @authentication_decorator
+import hashlib
+import jwt
+import datetime
+from django.shortcuts import render, redirect
+from .models import CSRF_user_tbl
+
 def csrf_lab_login(request):
     if request.method == 'GET':
         return render(request, 'mitre/csrf_lab_login.html')
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+        password = hashlib.scrypt(password.encode(), salt=b'salt', n=16384, r=8, p=1, dklen=32).hex()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            cookie = jwt.encode(payload, key=None, algorithm='HS256')  # Removed hardcoded secret
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
-        else :
+        else:
             return redirect('/mitre/9/lab/login')
 
 @authentication_decorator
 @csrf_exempt
-def csrf_transfer_monei(request):
+import os
+
+SECRET_KEY = os.getenv('SECRET_KEY')
+
+def csrf_transfer_money(request):
     if request.method == 'GET':
         try:
-            cookie = request.COOKIES['auth_cookiee']
-            payload = jwt.decode(cookie, 'csrf_vulneribility', algorithms=['HS256'])
+            cookie = request.COOKIES.get('auth_cookie')
+            payload = jwt.decode(cookie, SECRET_KEY, algorithms=['HS256'])
             username = payload['username']
             User = CSRF_user_tbl.objects.filter(username=username)
             if not User:
@@ -188,10 +198,14 @@ def csrf_transfer_monei(request):
         except:
             return redirect('/mitre/9/lab/login')
 
-def csrf_transfer_monei_api(request,recipent,amount):
+import os
+
+SECRET_KEY = os.getenv('SECRET_KEY')
+
+def csrf_transfer_monei_api(request, recipent, amount):
     if request.method == "GET":
         cookie = request.COOKIES['auth_cookiee']
-        payload = jwt.decode(cookie, 'csrf_vulneribility', algorithms=['HS256'])
+        payload = jwt.decode(cookie, SECRET_KEY, algorithms=['HS256'])
         username = payload['username']
         User = CSRF_user_tbl.objects.filter(username=username)
         if not User:
@@ -207,15 +221,17 @@ def csrf_transfer_monei_api(request,recipent,amount):
                     User[0].save()
         return redirect('/mitre/9/lab/transaction') 
     else:
-        return redirect ('/mitre/9/lab/transaction')
+        return redirect('/mitre/9/lab/transaction')
 
 
 # @authentication_decorator
 @csrf_exempt
+import ast
+
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
+        result = ast.literal_eval(expression)
         return JsonResponse({'result': result})
     else:
         return redirect('/mitre/25/lab/')
@@ -230,7 +246,7 @@ def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
 
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
 
 

diff --git a/introduction/playground/A9/api.py b/introduction/playground/A9/api.py
@@ -1,33 +1,29 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
-
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
         L.info("GET request")
-        return JsonResponse({"message":"normal get request", "method":"get"},status = 200)
+        return JsonResponse({"message":"normal get request", "method":"get"}, status=200)
     if request.method == "POST":
         username = request.POST['username']
         password = request.POST['password']
         L.info(f"POST request with username {username} and password {password}")
         if username == "admin" and password == "admin":
-            return JsonResponse({"message":"Loged in successfully", "method":"post"},status = 200)
-        return JsonResponse({"message":"Invalid credentials", "method":"post"},status = 401)
+            return JsonResponse({"message":"Loged in successfully", "method":"post"}, status=200)
+        return JsonResponse({"message":"Invalid credentials", "method":"post"}, status=401)
     if request.method == "PUT":
         L.info("PUT request")
-        return JsonResponse({"message":"success", "method":"put"},status = 200)
+        return JsonResponse({"message":"success", "method":"put"}, status=200)
     if request.method == "DELETE":
         if request.user.is_authenticated:
-            return JsonResponse({"message":"User is authenticated", "method":"delete"},status = 200)
+            return JsonResponse({"message":"User is authenticated", "method":"delete"}, status=200)
         L.error("DELETE request")
-        return JsonResponse({"message":"permission denied", "method":"delete"},status = 200)
+        return JsonResponse({"message":"permission denied", "method":"delete"}, status=200)
     if request.method == "PATCH":
         L.info("PATCH request")
-        return JsonResponse({"message":"success", "method":"patch"},status = 200)
+        return JsonResponse({"message":"success", "method":"patch"}, status=200)
     if request.method == "UPDATE":
-        return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
+        return JsonResponse({"message":"success", "method":"update"}, status=200)
+    return JsonResponse({"message":"method not allowed"}, status=403)
diff --git a/introduction/playground/A9/archive.py b/introduction/playground/A9/archive.py
@@ -1,10 +1,8 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
 
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
@@ -45,18 +43,15 @@ def __init__(self,request):
 
     def info(self,msg):
         now = datetime.datetime.now()
-        f = open('test.log', 'a')
-        f.write(f"INFO:{now}:{msg}\n")
-        f.close()
+        with open('test.log', 'a') as f:
+            f.write(f"INFO:{now}:{msg}\n")
 
     def warning(self,msg):
         now = datetime.datetime.now()
-        f = open('test.log', 'a')
-        f.write(f"WARNING:{now}:{msg}\n")
-        f.close()
+        with open('test.log', 'a') as f:
+            f.write(f"WARNING:{now}:{msg}\n")
 
     def error(self,msg):
         now = datetime.datetime.now()
-        f = open('test.log', 'a')
-        f.write(f"ERROR:{now}:{msg}\n")
-        f.close()
+        with open('test.log', 'a') as f:
+            f.write(f"ERROR:{now}:{msg}\n")
diff --git a/introduction/static/js/a9.js b/introduction/static/js/a9.js
@@ -37,9 +37,9 @@ event3 = function(){
         document.getElementById("a9_d3").style.display = 'flex';
         for (var i = 0; i < data.logs.length; i++) {
             var li = document.createElement("li");
-            li.innerHTML = data.logs[i];
+            li.textContent = data.logs[i]; // Use textContent instead of innerHTML
             document.getElementById("a9_d3").appendChild(li);
         }
     })
     .catch(error => console.log('error', error));
-    }
+}
diff --git a/introduction/templates/Lab/A9/a9_lab.html b/introduction/templates/Lab/A9/a9_lab.html
@@ -8,6 +8,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +35,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/BrokenAccess/ba_lab.html b/introduction/templates/Lab/BrokenAccess/ba_lab.html
@@ -9,12 +9,11 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
+            {% csrf_token %}
 
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
@@ -34,7 +33,6 @@ <h2><code>{{not_admin}}</code></h2>
     {% if no_creds %}
     <h2>Please Provide Credentials</h2>
     {% endif %}
-
 </div>
 
 <br>
@@ -43,4 +41,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/BrokenAuth/otp.html b/introduction/templates/Lab/BrokenAuth/otp.html
@@ -7,15 +7,15 @@
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
         <form method="get" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="[email protected]">
             <button class="btn btn-info" type="submit"> Send OTP</button>
-
         </form>
-
     </div>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -25,13 +25,10 @@ <h5 align="center">Login Through Otp</h5><br>
     {% if otp %}
     <h3 align="center">Your 3 Digit Verification Code:<code>{{otp}}</code></h3>
     {% endif %}
-
+    
     {% if email %}
     <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
     {% endif %}
-
-
-
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "[email protected]" -->
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/CMD/cmd_lab.html b/introduction/templates/Lab/CMD/cmd_lab.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -25,12 +26,10 @@ <h6><b>Output</b></h6><br>
     {% endif %}
 </div>
 
-
 <br>
 <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab
         details</button></div>
 
 </p>
 
-
-{% endblock %}
+{% endblock %}