From 808960092809279070b228b7652deadda9a19e39 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 17:15:52 +0800 Subject: [PATCH 1/4] Patched /Users/codelion/Documents/GitHub/dvpwa/sqli/dao/user.py --- sqli/dao/user.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sqli/dao/user.py b/sqli/dao/user.py index c663ddc3..b8ce7b0b 100644 --- a/sqli/dao/user.py +++ b/sqli/dao/user.py @@ -1,4 +1,4 @@ -from hashlib import md5 +from hashlib import scrypt from typing import NamedTuple, Optional from aiopg import Connection @@ -38,4 +38,5 @@ async def get_by_username(conn: Connection, username: str): return User.from_raw(await cur.fetchone()) def check_password(self, password: str): - return self.pwd_hash == md5(password.encode('utf-8')).hexdigest() + return self.pwd_hash == scrypt(password.encode('utf-8'), salt=b'some_salt', n=16384, r=8, p=1).hex() + From f3dd084850df301d2259a752729d310644c5dd44 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 17:15:52 +0800 Subject: [PATCH 2/4] Patched /Users/codelion/Documents/GitHub/dvpwa/docker-compose.yml --- docker-compose.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 1b3e2a84..ac2333a9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,6 +10,9 @@ services: redis: image: redis:alpine + security_opt: + - no-new-privileges:true + read_only: true sqli: build: From a37e90865454a78a698f1a2b7e4edd3f6b915359 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 17:15:52 +0800 Subject: [PATCH 3/4] Patched /Users/codelion/Documents/GitHub/dvpwa/sqli/static/js/materialize.js --- sqli/static/js/materialize.js | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/sqli/static/js/materialize.js b/sqli/static/js/materialize.js index bbd91bea..ebf8ea4f 100644 --- a/sqli/static/js/materialize.js +++ b/sqli/static/js/materialize.js @@ -562,7 +562,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }, addClass: function (e, t) { e.classList ? e.classList.add(t) : e.className += (e.className.length ? " " : "") + t; }, removeClass: function (e, t) { - e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(new RegExp("(^|\\s)" + t.split(" ").join("|") + "(\\s|$)", "gi"), " "); + e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(/(^|\s)t(\s|$)/g, " "); } }, getPropertyValue: function (e, r, n, o) { function s(e, r) { function n() { @@ -642,7 +642,8 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }), b.CSS.setPropertyValue(u, "position", e.position), b.CSS.setPropertyValue(u, "fontSize", e.fontSize), b.CSS.setPropertyValue(u, "boxSizing", "content-box"), f.each(["minWidth", "maxWidth", "width", "minHeight", "maxHeight", "height"], function (e, t) { b.CSS.setPropertyValue(u, t, s + "%"); }), b.CSS.setPropertyValue(u, "paddingLeft", s + "em"), l.percentToPxWidth = L.lastPercentToPxWidth = (parseFloat(S.getPropertyValue(u, "width", null, !0)) || 1) / s, l.percentToPxHeight = L.lastPercentToPxHeight = (parseFloat(S.getPropertyValue(u, "height", null, !0)) || 1) / s, l.emToPx = L.lastEmToPx = (parseFloat(S.getPropertyValue(u, "paddingLeft")) || 1) / s, e.myParent.removeChild(u); - }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log("Unit ratios: " + JSON.stringify(l), o), l; + }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log(`Unit ratios: ${JSON.stringify(l)}`, o), l; + }if (s.begin && 0 === V) try { s.begin.call(g, g); } catch (x) { @@ -658,7 +659,8 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly } else if ("reverse" === A) { if (!i(o).tweensContainer) return void f.dequeue(o, s.queue);"none" === i(o).opts.display && (i(o).opts.display = "auto"), "hidden" === i(o).opts.visibility && (i(o).opts.visibility = "visible"), i(o).opts.loop = !1, i(o).opts.begin = null, i(o).opts.complete = null, v.easing || delete s.easing, v.duration || delete s.duration, s = f.extend({}, i(o).opts, s);var E = f.extend(!0, {}, i(o).tweensContainer);for (var H in E) { if ("element" !== H) { - var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log("reverse tweensContainer (" + H + "): " + JSON.stringify(E[H]), o); + var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log(`reverse tweensContainer (${H}): ${JSON.stringify(E[H])}`, o); + } }l = E; } else if ("start" === A) { @@ -696,7 +698,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly q = M + q;break;case "-": q = M - q;break;case "*": q = M * q;break;case "/": - q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (" + z + "): " + JSON.stringify(l[z]), o); + q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (%s): %s", z, JSON.stringify(l[z]), o); } else b.debug && console.log("Skipping [" + I + "] due to a lack of browser support."); }l.element = o; }l.element && (S.Values.addClass(o, "velocity-animating"), R.push(l), "" === s.queue && (i(o).tweensContainer = l, i(o).opts = s), i(o).isAnimating = !0, V === w - 1 ? (b.State.calls.push([R, g, s, null, k.resolver]), b.State.isTicking === !1 && (b.State.isTicking = !0, c())) : V++); @@ -3441,7 +3443,7 @@ if (jQuery) { // Insert as text; } else { - toast.innerHTML = this.message; + toast.textContent = this.message; } // Append toasft From 9f51eeb86eaaefbedbcd1e95d03a63d0d5431481 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 2 Aug 2024 17:15:52 +0800 Subject: [PATCH 4/4] Patched /Users/codelion/Documents/GitHub/dvpwa/sqli/dao/student.py --- sqli/dao/student.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/sqli/dao/student.py b/sqli/dao/student.py index d41ef885..1b172ebf 100644 --- a/sqli/dao/student.py +++ b/sqli/dao/student.py @@ -27,10 +27,10 @@ async def get_many(conn: Connection, limit: Optional[int] = None, q = 'SELECT id, name FROM students' params = {} if limit is not None: - q += ' LIMIT + %(limit)s ' + q += ' LIMIT %(limit)s' params['limit'] = limit if offset is not None: - q += ' OFFSET + %(offset)s ' + q += ' OFFSET %(offset)s' params['offset'] = offset async with conn.cursor() as cur: await cur.execute(q, params) @@ -39,9 +39,6 @@ async def get_many(conn: Connection, limit: Optional[int] = None, @staticmethod async def create(conn: Connection, name: str): - q = ("INSERT INTO students (name) " - "VALUES ('%(name)s')" % {'name': name}) + q = "INSERT INTO students (name) VALUES (%(name)s)" async with conn.cursor() as cur: - await cur.execute(q) - - + await cur.execute(q, {'name': name})