def mutate(self,
info,
host='pastebin.com',
port=443,
path='/',
scheme="http"):
url = security.strip_dangerous_characters(
f"{scheme}://{host}:{port}{path}")
cmd = helpers.run_cmd(f'curl --insecure {url}')
owner = Owner.query.filter_by(name='DVGAUser').first()
paste_obj = Paste.create_paste(
title='Imported Paste from URL - {}'.format(
helpers.generate_uuid()),
content=cmd,
public=False,
burn=False,
owner_id=owner.id,
owner=owner,
ip_addr=request.remote_addr,
user_agent=request.headers.get('User-Agent', ''))
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return ImportPaste(result=cmd)
def resolve_read_and_burn(self, info, p_id):
result = Paste.query.filter_by(id=p_id, burn=True).first()
Paste.query.filter_by(id=p_id, burn=True).delete()
db.session.commit()
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return result
def mutate(self, info, title):
Paste.query.filter_by(title=title).delete()
db.session.commit()
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return DeletePaste(ok=True)
def resolve(self, next, root, info, **kwargs):
if helpers.is_level_easy():
return next(root, info, **kwargs)
opname = helpers.get_opname(info.operation)
if opname != 'No Operation' and not security.operation_name_allowed(
opname):
raise werkzeug.exceptions.SecurityError(
'Operation Name "{}" is not allowed.'.format(opname))
return next(root, info, **kwargs)
def resolve_system_diagnostics(self,
info,
username,
password,
cmd='whoami'):
q = User.query.filter_by(username='******').first()
real_passw = q.password
res, msg = security.check_creds(username, password, real_passw)
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
if res:
output = f'{cmd}: command not found'
if security.allowed_cmds(cmd):
output = helpers.run_cmd(cmd)
return output
return msg
def mutate(self, info, title, content, public, burn):
owner = Owner.query.filter_by(name='DVGAUser').first()
paste_obj = Paste.create_paste(title=title,
content=content,
public=public,
burn=burn,
owner_id=owner.id,
owner=owner,
ip_addr=request.remote_addr,
user_agent=request.headers.get(
'User-Agent', ''))
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return CreatePaste(paste=paste_obj)
def mutate(self, info, filename, content):
result = helpers.save_file(filename, content)
owner = Owner.query.filter_by(name='DVGAUser').first()
Paste.create_paste(title='Imported Paste from File - {}'.format(
helpers.generate_uuid()),
content=content,
public=False,
burn=False,
owner_id=owner.id,
owner=owner,
ip_addr=request.remote_addr,
user_agent=request.headers.get('User-Agent', ''))
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return UploadPaste(result=result)
def create_audit_entry(cls, info, operation_type=None):
gql_query = '{}'
gql_operation = None
if not operation_type:
gql_operation = helpers.get_opname(info.operation)
if info.context.json:
gql_query = info.context.json.get("query")
if operation_type == 'subscription' and info:
ast = parse(info)
gql_query = info
try:
gql_operation = ast.definitions[0].name.value
except:
pass
obj = cls(**{"gqloperation": gql_operation, "gqlquery": gql_query})
db.session.add(obj)
db.session.commit()
return obj
def resolve_system_health(self, info):
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return 'System Load: {}'.format(
helpers.run_cmd("uptime | awk '{print $10, $11, $12}'"))
def resolve_system_update(self, info):
security.simulate_load()
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return 'no updates available'
def resolve_paste(self, info, p_id):
query = PasteObject.get_query(info)
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return query.filter_by(id=p_id, burn=False).first()
def resolve_pastes(self, info, public=False):
query = PasteObject.get_query(info)
Audit.create_audit_entry(
gqloperation=helpers.get_opname(info.operation))
return query.filter_by(public=public,
burn=False).order_by(Paste.id.desc())
