From 7d2f96c47d53bf4b72cee4014697317547d6c35f Mon Sep 17 00:00:00 2001 From: PavelLinearB Date: Tue, 9 May 2023 16:16:10 +0300 Subject: [PATCH 1/5] modified: Dockerfile modified: README.md modified: introduction/apis.py modified: introduction/mitre.py modified: introduction/static/css/dark-theme.css modified: introduction/views.py --- Dockerfile | 3 +++ README.md | 8 ++++++- introduction/apis.py | 30 +++++++++++++++++++++++--- introduction/mitre.py | 5 +++++ introduction/static/css/dark-theme.css | 6 ++++++ introduction/views.py | 4 +++- 6 files changed, 51 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index bf0a3679a..5c449c9a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,9 @@ COPY requirements.txt requirements.txt RUN pip install --no-cache-dir -r requirements.txt +# copy project +COPY . /app/ + # install pygoat EXPOSE 8000 diff --git a/README.md b/README.md index a66cf066f..f383e0c96 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PyGoat +# PyGoat. [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-) @@ -126,3 +126,9 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! +blabla bla bla bla +blaaaaaa +rrrrr +dddd +eeeee +JITTTT diff --git a/introduction/apis.py b/introduction/apis.py index baa6646da..a434539e0 100644 --- a/introduction/apis.py +++ b/introduction/apis.py @@ -4,6 +4,7 @@ from introduction.playground.A9.main import Log from introduction.playground.A6.utility import check_vuln from django.contrib.auth import login,authenticate +from .utility import * from django.views.decorators.csrf import csrf_exempt import time from .views import authentication_decorator @@ -17,10 +18,33 @@ def ssrf_code_checker(request): if request.user.is_authenticated: if request.method == 'POST': + python_code = request.POST['python_code'] + html_code = request.POST['html_code'] + if not (ssrf_code_converter(python_code)): + return JsonResponse({"status": "error", "message": "Invalid code"}) + test_bench1 = ssrf_html_input_extractor(html_code) + + if (len(test_bench1) >4): + return JsonResponse({'message':'too many inputs in Html\n Try again'},status = 400) + test_bench2 = ['secret.txt'] + correct_output1 = [{"blog": "blog1-passed"}, {"blog": "blog2-passed"}, {"blog": "blog3-passed"}, {"blog": "blog4-passed"}] + outputs = [] + for inputs in test_bench1: + outputs.append(main.ssrf_lab(inputs)) + if outputs == correct_output1: + outputs = [] + else: + return JsonResponse({'message':'Testbench failed, Code is not working\n Try again'},status = 200) + + correct_output2 = [{"blog": "No blog found"}] + for inputs in test_bench2: + outputs.append(main.ssrf_lab(inputs)) + if outputs == correct_output2: + return JsonResponse({'message':'Congratulation, you have written a secure code.', 'passed':1}, status = 200) return JsonResponse({'message':'Test bench passed but the code is not secure'}, status = 200,safe = False) else: - return JsonResponse({'message':'1method not allowed'},status = 405) + return JsonResponse({'message':'method not allowed'},status = 405) else: return JsonResponse({'message':'UnAuthenticated User'},status = 401) @@ -58,7 +82,7 @@ def log_function_checker(request): f.close() return JsonResponse({"message":"success", "logs": lines},status = 200) else: - return JsonResponse({"message":"2method not allowed"},status = 405) + return JsonResponse({"message":"method not allowed"},status = 405) #a7 codechecking api @csrf_exempt @@ -96,7 +120,7 @@ def A6_disscussion_api(request): @csrf_exempt def A6_disscussion_api_2(request): if request.method != 'POST': - return JsonResponse({"message":"3method not allowed"},status = 405) + return JsonResponse({"message":"method not allowed"},status = 405) try: code = request.POST.get('code') dirname = os.path.dirname(__file__) diff --git a/introduction/mitre.py b/introduction/mitre.py index a7a5a77c9..419bfb8c9 100644 --- a/introduction/mitre.py +++ b/introduction/mitre.py @@ -210,6 +210,11 @@ def csrf_transfer_monei_api(request,recipent,amount): # @authentication_decorator @csrf_exempt def mitre_lab_25_api(request): + if request.method == "POST": + expression = request.POST.get('expression') + result = eval(expression) + return JsonResponse({'result': result}) + else: return redirect('/mitre/25/lab/') diff --git a/introduction/static/css/dark-theme.css b/introduction/static/css/dark-theme.css index cdb9a007a..417fa0360 100644 --- a/introduction/static/css/dark-theme.css +++ b/introduction/static/css/dark-theme.css @@ -406,6 +406,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #owasp10_2017 { width: 90%; @@ -416,6 +417,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #sidebar li ul a #owasp10_2021 { @@ -440,6 +442,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #homeSubmenu { @@ -461,6 +464,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #challengeSubmenu { width: 95%; @@ -484,6 +488,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #mitre25 { width: 90%; @@ -494,6 +499,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #stylesheet-toggle{ diff --git a/introduction/views.py b/introduction/views.py index 081987d3a..6cdfb7baf 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -156,7 +156,9 @@ def sql_lab(request): print(sql_query) try: print("\nin try\n") - val="" + val=login.objects.raw(sql_query) + val=login.objects.raw(sql_query) + val=login.objects.raw(sql_query) except: print("\nin except\n") return render( From 51baa736a2b1709f567ae6f5573a64f3af570cbb Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Sun, 21 May 2023 14:49:07 +0300 Subject: [PATCH 2/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f383e0c96..2fb03b7bc 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PyGoat. +# PyGoat [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-) From 6a4ff5139927f060ae628501d193840b1a24b067 Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Sun, 21 May 2023 14:59:56 +0300 Subject: [PATCH 3/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2fb03b7bc..2172993fc 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PyGoat +# PyGoat! [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-) From 215a650ca242e8767a0ca30779cd8725630eb6cc Mon Sep 17 00:00:00 2001 From: PavelLinearB <129676672+PavelLinearB@users.noreply.github.com> Date: Sun, 21 May 2023 15:44:08 +0300 Subject: [PATCH 4/5] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2172993fc..693e9cb48 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PyGoat! +# PyGoat! :) [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-) From 04d7ef83e5d6f440f828c604477901a744a974c9 Mon Sep 17 00:00:00 2001 From: Pavel Vaks <129676672+PavelLinearB@users.noreply.github.com> Date: Mon, 8 Jan 2024 18:15:21 +0200 Subject: [PATCH 5/5] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 693e9cb48..d61d3b269 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # PyGoat! :) +pp [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-)