def mutate(self, info, host='pastebin.com', port=443, path='/', scheme="http"): url = security.strip_dangerous_characters( f"{scheme}://{host}:{port}{path}") cmd = helpers.run_cmd(f'curl --insecure {url}') owner = Owner.query.filter_by(name='DVGAUser').first() paste_obj = Paste.create_paste( title='Imported Paste from URL - {}'.format( helpers.generate_uuid()), content=cmd, public=False, burn=False, owner_id=owner.id, owner=owner, ip_addr=request.remote_addr, user_agent=request.headers.get('User-Agent', '')) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return ImportPaste(result=cmd)
def resolve_read_and_burn(self, info, p_id): result = Paste.query.filter_by(id=p_id, burn=True).first() Paste.query.filter_by(id=p_id, burn=True).delete() db.session.commit() Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return result
def mutate(self, info, title): Paste.query.filter_by(title=title).delete() db.session.commit() Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return DeletePaste(ok=True)
def resolve(self, next, root, info, **kwargs): if helpers.is_level_easy(): return next(root, info, **kwargs) opname = helpers.get_opname(info.operation) if opname != 'No Operation' and not security.operation_name_allowed( opname): raise werkzeug.exceptions.SecurityError( 'Operation Name "{}" is not allowed.'.format(opname)) return next(root, info, **kwargs)
def resolve_system_diagnostics(self, info, username, password, cmd='whoami'): q = User.query.filter_by(username='******').first() real_passw = q.password res, msg = security.check_creds(username, password, real_passw) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) if res: output = f'{cmd}: command not found' if security.allowed_cmds(cmd): output = helpers.run_cmd(cmd) return output return msg
def mutate(self, info, title, content, public, burn): owner = Owner.query.filter_by(name='DVGAUser').first() paste_obj = Paste.create_paste(title=title, content=content, public=public, burn=burn, owner_id=owner.id, owner=owner, ip_addr=request.remote_addr, user_agent=request.headers.get( 'User-Agent', '')) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return CreatePaste(paste=paste_obj)
def mutate(self, info, filename, content): result = helpers.save_file(filename, content) owner = Owner.query.filter_by(name='DVGAUser').first() Paste.create_paste(title='Imported Paste from File - {}'.format( helpers.generate_uuid()), content=content, public=False, burn=False, owner_id=owner.id, owner=owner, ip_addr=request.remote_addr, user_agent=request.headers.get('User-Agent', '')) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return UploadPaste(result=result)
def create_audit_entry(cls, info, operation_type=None): gql_query = '{}' gql_operation = None if not operation_type: gql_operation = helpers.get_opname(info.operation) if info.context.json: gql_query = info.context.json.get("query") if operation_type == 'subscription' and info: ast = parse(info) gql_query = info try: gql_operation = ast.definitions[0].name.value except: pass obj = cls(**{"gqloperation": gql_operation, "gqlquery": gql_query}) db.session.add(obj) db.session.commit() return obj
def resolve_system_health(self, info): Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return 'System Load: {}'.format( helpers.run_cmd("uptime | awk '{print $10, $11, $12}'"))
def resolve_system_update(self, info): security.simulate_load() Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return 'no updates available'
def resolve_paste(self, info, p_id): query = PasteObject.get_query(info) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return query.filter_by(id=p_id, burn=False).first()
def resolve_pastes(self, info, public=False): query = PasteObject.get_query(info) Audit.create_audit_entry( gqloperation=helpers.get_opname(info.operation)) return query.filter_by(public=public, burn=False).order_by(Paste.id.desc())