sa-ny · sa-ny · Sep 24, 2024
diff --git a/application/views/userController.py b/application/views/userController.py
@@ -6,7 +6,7 @@
 import smtplib
 import pyotp
 import pickle, base64
-
+# usercontroller test
 import sqlparse
 from email.mime.multipart import MIMEMultipart
 from passeo import passeo
@@ -19,13 +19,13 @@
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.clickjacking import xframe_options_exempt
 import mimetypes

 from application.models import User, Blabber
 from application.forms import RegisterForm


 # Get logger
 logger = logging.getLogger("VeraDemo:userController")
 image_dir = os.path.join(os.path.dirname(__file__), '../../resources/images')

 # xframe_options_exempt makes this function unprotected from clickjacking
@@ -105,14 +105,14 @@
                            and password='" + hashlib.md5(password.encode('utf-8')).hexdigest() + "';"
                logger.info(sqlQuery)

                parsed = sqlparse.parse(sqlQuery)[0]
                logger.info("Attempted login with username and password: " + parsed[8].value)

                cursor.execute(sqlQuery)
                # END VULN CODE
                # GOOD CODE
                # sqlQuery = "select username, password, password_hint, created_at, last_login, \
                #            real_name, blab_name from users where username=:username and password=:password;"

                # logger.info(sqlQuery, {"username": username, "password": hashlib.md5(password.encode('utf-8')).hexdigest()})
                # cursor.execute(sqlQuery, {"username": username, "password": hashlib.md5(password.encode('utf-8')).hexdigest()})
@@ -132,15 +132,15 @@
                        currentUser = User(username=row["username"],
                                    password_hint=row["password_hint"], created_at=row["created_at"],
                                    last_login=row["last_login"], real_name=row["real_name"], 
                                    blab_name=row["blab_name"])
                        response = updateInResponse(currentUser, response)

                    update = "UPDATE users SET last_login=datetime('now') WHERE username='" + row['username'] + "';"
                    cursor.execute(update)

                    # if the username ends with "totp", add the TOTP login step
                    if username[-4:].lower() == "totp":
                        logger.info("User " + username + " has TOTP enabled")
                        request.session['totp_username'] = row['username']
                        response = redirect('totp')
                    else:
@@ -178,29 +178,29 @@

    logger.info("Entering password-hint with username: " + username)

    try:
        logger.info("Creating the Database connection")
        with connection.cursor() as cursor:
            sql = "SELECT password_hint FROM users WHERE username = '" + username + "'"
            logger.info(sql)
            cursor.execute(sql)
            row = cursor.fetchone()

            if (row):
                password = row[0]

                logger.info(f"Password: {password}")

                formatString = "Username '" + username + "' has password: {}"
                hint = formatString.format(password[:2] + ("*" * (len(password) - 2)))
                logger.info(hint)
                return HttpResponse(hint)
            else:
                return HttpResponse("No password found for " + username)
    except DatabaseError as db_err:
            logger.error("Database error", db_err)
            return HttpResponse("ERROR!") 
    except Exception as e:
            logger.error("Unexpected error", e)

    return HttpResponse("ERROR!")
@@ -219,16 +219,16 @@
    # lookup the TOTP secret
    # really here to display back to the user (it's a hack for a demo app ;) )
    try:
        #Create db connection
        with connection.cursor() as cursor:

            sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'"
            logger.info(sql)
            cursor.execute(sql)

            result = cursor.fetchone()
        if result:
            totpSecret = result[0]
            logger.info("Found TOTP secret")
            request.totpSecret = totpSecret
        else:
@@ -253,16 +253,16 @@

    # lookup the TOTP secret
    try:

        with connection.cursor() as cursor:

            sql = "SELECT totp_secret FROM users WHERE username = '" + username + "'"
            logger.info(sql)
            cursor.execute(sql)

            result = cursor.fetchone()
            if result:
                columns = [col[0] for col in cursor.description]
                result = dict(zip(columns, result))
                totpSecret = result["totp_secret"]
                logger.info("Found TOTP secret")
@@ -335,15 +335,15 @@
        return render(request, 'app/register.html')

    # Get the Database Connection
    logger.info("Creating the Database connection")
    try:
        with connection.cursor() as cursor:
            sqlQuery = "SELECT username FROM users WHERE username = '" + username + "'"
            cursor.execute(sqlQuery)
            row = cursor.fetchone()
            if (row):
                request.error = "Username '" + username + "' already exists!"
                return render(request, 'app/register.html')
            else:
                rand_pass = passeo().generate(10, numbers=True, symbols=True)
                sk = SigningKey.generate()
@@ -414,14 +414,14 @@
                query += ("'" + pyotp.random_base32() + "',")
                query += ("datetime('now'),")
                query += ("'" + realName + "',")
                query += ("'" + blabName + "'")
                query += (");")
                #execute query
                cursor.execute(query)
                sqlStatement = cursor.fetchone() #<- variable for response
                logger.info(query)
                # END EXAMPLE VULNERABILITY
        except IntegrityError as ie:
            logger.error("Integrity error", ie)
            return render(request, 'app/register.html')
        except ValueError as ve:
@@ -488,14 +488,14 @@
    try:

        logger.info("Getting Database connection")
        with connection.cursor() as cursor:    
            # Find the Blabbers that this user listens to
            logger.info(sqlMyHecklers)
            cursor.execute(sqlMyHecklers % username)
            myHecklersResults = cursor.fetchall()
            hecklers=[]
            for i in myHecklersResults:

                heckler = Blabber()
                heckler.setUsername(i[0])
                heckler.setBlabName(i[1])
@@ -505,26 +505,26 @@


            # Get the audit trail for this user
            events = []

            # START EXAMPLE VULNERABILITY 
            sqlMyEvents = "select event from users_history where blabber=\"" + username + "\" ORDER BY eventid DESC; "
            logger.info(sqlMyEvents)
            cursor.execute(sqlMyEvents)
            userHistoryResult = cursor.fetchall()
            # END EXAMPLE VULNERABILITY 

            for result in userHistoryResult :
                events.append(result[0])

            # Get the users information
            sql = "SELECT username, real_name, blab_name, totp_secret FROM users WHERE username = '" + username + "'"
            logger.info(sql)
            cursor.execute(sql)
            myInfoResults = cursor.fetchone()
            if not myInfoResults:
                return JsonResponse({'message':'Error, no Inforesults found'})
            # Send these values to our View
            columns = [col[0] for col in cursor.description]
            myInfoResults = dict(zip(columns, myInfoResults))
            request.hecklers = hecklers
@@ -554,14 +554,14 @@
    username = request.POST.get('username')
    file = request.FILES.get('file')
    #TODO: Experiment with safe=False on JsonResponse, send in non-dict objects for serialization
    # Initial response only get returns if everything else succeeds.
    # This must be here in order to use set_cookie later in the program
    msg = f"<script>alert('Successfully changed values!\\nusername: {username.lower()}\\nReal Name: {realName}\\nBlab Name: {blabName}');</script>"
    response = JsonResponse({'values':{"username": username.lower(), "realName": realName, "blabName": blabName}, 'message':msg},status=200)

    logger.info("entering processProfile")
    sessionUsername = request.session.get('username')

    # Ensure user is logged in
    if not sessionUsername:
        logger.info("User is not Logged In = redirecting...")