def truncate_database():
# delete all table data (but keep tables)
_pages = Pages.query.all()
for p in _pages:
for f in p.files:
delete_file(file_id=f.id)
Pages.query.delete()
Notifications.query.delete()
_challenges = Challenges.query.all()
for c in _challenges:
for f in c.files:
delete_file(file_id=f.id)
Challenges.query.delete()
Users.query.delete()
Teams.query.delete()
Solves.query.delete()
Submissions.query.delete()
Awards.query.delete()
Unlocks.query.delete()
Tracking.query.delete()
Configs.query.delete()
clear_config()
clear_pages()
clear_standings()
cache.clear()
db.session.commit()
def reset():
if request.method == "POST":
require_setup = False
logout = False
next_url = url_for("admin.statistics")
data = request.form
if data.get("pages"):
_pages = Pages.query.all()
for p in _pages:
for f in p.files:
delete_file(file_id=f.id)
Pages.query.delete()
if data.get("notifications"):
Notifications.query.delete()
if data.get("challenges"):
_challenges = Challenges.query.all()
for c in _challenges:
for f in c.files:
delete_file(file_id=f.id)
Challenges.query.delete()
if data.get("accounts"):
Users.query.delete()
Teams.query.delete()
require_setup = True
logout = True
if data.get("submissions"):
Solves.query.delete()
Submissions.query.delete()
Awards.query.delete()
Unlocks.query.delete()
Tracking.query.delete()
if require_setup:
set_config("setup", False)
cache.clear()
logout_user()
next_url = url_for("views.setup")
db.session.commit()
clear_pages()
clear_standings()
clear_config()
if logout is True:
cache.clear()
logout_user()
db.session.close()
return redirect(next_url)
return render_template("admin/reset.html")
def reset():
if request.method == 'POST':
# Truncate Users, Teams, Submissions, Solves, Notifications, Awards, Unlocks, Tracking
Tracking.query.delete()
Solves.query.delete()
Submissions.query.delete()
Awards.query.delete()
Unlocks.query.delete()
Users.query.delete()
Teams.query.delete()
set_config('setup', False)
db.session.commit()
cache.clear()
logout_user()
db.session.close()
return redirect(url_for('views.setup'))
return render_template('admin/reset.html')
def plugin(plugin):
if request.method == 'GET':
plugins_path = os.path.join(app.root_path, 'plugins')
config_html_plugins = [name for name in os.listdir(plugins_path)
if os.path.isfile(os.path.join(plugins_path, name, 'config.html'))]
if plugin in config_html_plugins:
config_html = open(os.path.join(app.root_path, 'plugins', plugin, 'config.html')).read()
return render_template_string(config_html)
abort(404)
elif request.method == 'POST':
for k, v in request.form.items():
if k == "nonce":
continue
set_config(k, v)
with app.app_context():
cache.clear()
return '1'
def destroy_ctfd(app):
with app.app_context():
gc.collect(
) # Garbage collect (necessary in the case of dataset freezes to clean database connections)
cache.clear()
drop_database(app.config["SQLALCHEMY_DATABASE_URI"])
def setup():
errors = get_errors()
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
# General
ctf_name = request.form.get("ctf_name")
ctf_description = request.form.get("ctf_description")
user_mode = request.form.get("user_mode", USERS_MODE)
set_config("ctf_name", ctf_name)
set_config("ctf_description", ctf_description)
set_config("user_mode", user_mode)
# Style
theme = request.form.get("ctf_theme", "core")
set_config("ctf_theme", theme)
theme_color = request.form.get("theme_color")
if theme_color:
# Uses {{ and }} to insert curly braces while using the format method
css = (
":root {{--theme-color: {theme_color};}}\n"
".navbar{{background-color: var(--theme-color) !important;}}\n"
".jumbotron{{background-color: var(--theme-color) !important;}}\n"
).format(theme_color=theme_color)
set_config("css", css)
# DateTime
start = request.form.get("start")
end = request.form.get("end")
set_config("start", start)
set_config("end", end)
set_config("freeze", None)
# Administration
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
name_len = len(name) == 0
names = Users.query.add_columns("name",
"id").filter_by(name=name).first()
emails = (Users.query.add_columns(
"email", "id").filter_by(email=email).first())
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = validators.validate_email(request.form["email"])
team_name_email_check = validators.validate_email(name)
if not valid_email:
errors.append("Please enter a valid email address")
if names:
errors.append("That user name is already taken")
if team_name_email_check is True:
errors.append("Your user name cannot be an email address")
if emails:
errors.append("That email has already been used")
if pass_short:
errors.append("Pick a longer password")
if pass_long:
errors.append("Pick a shorter password")
if name_len:
errors.append("Pick a longer user name")
if len(errors) > 0:
return render_template(
"setup.html",
errors=errors,
name=name,
email=email,
password=password,
state=serialize(generate_nonce()),
)
admin = Admins(name=name,
email=email,
password=password,
type="admin",
hidden=True)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>A cool CTF platform from <a href="https://ctfd.io">ctfd.io</a></p>
<p>Follow us on social media:</p>
<a href="https://twitter.com/ctfdio"><i class="fab fa-twitter fa-2x" aria-hidden="true"></i></a>
<a href="https://facebook.com/ctfdio"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
<a href="https://github.com/ctfd"><i class="fab fa-github fa-2x" aria-hidden="true"></i></a>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
set_config("setup", True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template(
"setup.html",
nonce=session.get("nonce"),
state=serialize(generate_nonce()),
themes=config.get_themes(),
)
return redirect(url_for("views.static_html"))
def setup():
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
ctf_name = request.form["ctf_name"]
set_config("ctf_name", ctf_name)
# CSS
set_config("start", "")
# Admin user
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
admin = Admins(name=name,
email=email,
password=password,
type="admin",
hidden=True)
user_mode = request.form["user_mode"]
set_config("user_mode", user_mode)
# Index page
index = """<div class="section section-hero" id="home" style="background-image: url('/themes/H1ve-theme/static/img/bg.jpg'); background-position: 10% 50%">
<div class="section-inner">
<div class="table-container-outer container">
<div class="table-container-inner">
<div data-0="transform[swing]:translateY(0px);opacity[swing]:1" data-250="transform[swing]:translateY(-50px);opacity[swing]:0">
<img class="img-responsive ctf_logo" src="/themes/H1ve-theme/static/img/h1ve.png" height="150px" width="150px" alt="H1ve-Logo">
<h1 class="hero-header" data-150="transform[swing]:translateX(0px);opacity[swing]:1" data-550="transform[swing]:translateX(-25px);opacity[swing]:0">D0g3 <strong class="main-color">Lab</strong></h1>
<h2 class="hero-subheader" data-200="transform[swing]:translateX(0px);opacity[swing]:1" data-500="transform[swing]:translateX(25px);opacity[swing]:0">CTF <strong class="main-color">Online</strong></h2>
<div data-250="transform[swing]:translateY(0px);opacity[swing]:1" data-550="transform[swing]:translateY(-15px);opacity[swing]:0">
<div class="divider">//</div>
</div>
<div data-350="transform[swing]:translateY(0px);opacity[swing]:1" data-650="transform[swing]:translateY(-15px);opacity[swing]:0">
<p class="">收集各类自创/大型CTF比赛赛题,提供容器化专属题目环境,供广大CTF爱好者学习。</p>
<p class="">如有侵权,或题目问题请电联<a href="mailto:[email protected]">[email protected]</a></p>
</div>
<div>
<p>
</p>
</div>
<p> © 2019 <a href="https://www.d0g3.cn">D0g3</a> | 道之若极,行必有格 | Power By <a href="https://github.com/D0g3-Lab/H1ve/">H1ve</a></p>
</div>
</div>
<div class="scroll-icon visible-lg" data-600="opacity[swing]:1" data-850="opacity[swing]:0">
<span class="icon icon-basic-magic-mouse"></span>
</div>
</div>
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Start time
set_config("start", None)
set_config("end", None)
set_config("freeze", None)
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
set_config("setup", True)
# add h1ve-theme as default theme
set_config("ctf_theme", "H1ve-theme")
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template("setup.html", nonce=session.get("nonce"))
return redirect(url_for("views.static_html"))
def setup():
errors = get_errors()
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
# General
ctf_name = request.form.get("ctf_name")
ctf_description = request.form.get("ctf_description")
user_mode = request.form.get("user_mode", USERS_MODE)
set_config("ctf_name", ctf_name)
set_config("ctf_description", ctf_description)
set_config("user_mode", user_mode)
# Style
theme = request.form.get("ctf_theme", "core")
set_config("ctf_theme", theme)
theme_color = request.form.get("theme_color")
theme_header = get_config("theme_header")
if theme_color and bool(theme_header) is False:
# Uses {{ and }} to insert curly braces while using the format method
css = (
'<style id="theme-color">\n'
":root {{--theme-color: {theme_color};}}\n"
".navbar{{background-color: var(--theme-color) !important;}}\n"
".jumbotron{{background-color: var(--theme-color) !important;}}\n"
"</style>\n"
).format(theme_color=theme_color)
set_config("theme_header", css)
# DateTime
start = request.form.get("start")
end = request.form.get("end")
set_config("start", start)
set_config("end", end)
set_config("freeze", None)
# Administration
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
name_len = len(name) == 0
names = Users.query.add_columns("name", "id").filter_by(name=name).first()
emails = (
Users.query.add_columns("email", "id").filter_by(email=email).first()
)
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = validators.validate_email(request.form["email"])
team_name_email_check = validators.validate_email(name)
if not valid_email:
errors.append("Please enter a valid email address")
if names:
errors.append("That user name is already taken")
if team_name_email_check is True:
errors.append("Your user name cannot be an email address")
if emails:
errors.append("That email has already been used")
if pass_short:
errors.append("Pick a longer password")
if pass_long:
errors.append("Pick a shorter password")
if name_len:
errors.append("Pick a longer user name")
if len(errors) > 0:
return render_template(
"setup.html",
errors=errors,
name=name,
email=email,
password=password,
state=serialize(generate_nonce()),
)
admin = Admins(
name=name, email=email, password=password, type="admin", hidden=True
)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>CTF</p>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>""".format(
request.script_root
)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
# Set up default emails
set_config("verification_email_subject", DEFAULT_VERIFICATION_EMAIL_SUBJECT)
set_config("verification_email_body", DEFAULT_VERIFICATION_EMAIL_BODY)
set_config(
"successful_registration_email_subject",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_SUBJECT,
)
set_config(
"successful_registration_email_body",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_BODY,
)
set_config(
"user_creation_email_subject", DEFAULT_USER_CREATION_EMAIL_SUBJECT
)
set_config("user_creation_email_body", DEFAULT_USER_CREATION_EMAIL_BODY)
set_config("password_reset_subject", DEFAULT_PASSWORD_RESET_SUBJECT)
set_config("password_reset_body", DEFAULT_PASSWORD_RESET_BODY)
set_config(
"password_change_alert_subject",
"Password Change Confirmation for {ctf_name}",
)
set_config(
"password_change_alert_body",
(
"Your password for {ctf_name} has been changed.\n\n"
"If you didn't request a password change you can reset your password here: {url}"
),
)
set_config("setup", True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template(
"setup.html",
nonce=session.get("nonce"),
state=serialize(generate_nonce()),
themes=config.get_themes(),
)
return redirect(url_for("views.static_html"))
def import_ctf(backup, erase=True):
if not zipfile.is_zipfile(backup):
raise zipfile.BadZipfile
backup = zipfile.ZipFile(backup)
members = backup.namelist()
max_content_length = get_app_config("MAX_CONTENT_LENGTH")
for f in members:
if f.startswith("/") or ".." in f:
# Abort on malicious zip files
raise zipfile.BadZipfile
info = backup.getinfo(f)
if max_content_length:
if info.file_size > max_content_length:
raise zipfile.LargeZipFile
# Get list of directories in zipfile
member_dirs = [os.path.split(m)[0] for m in members if "/" in m]
if "db" not in member_dirs:
raise Exception(
'CTFd couldn\'t find the "db" folder in this backup. '
"The backup may be malformed or corrupted and the import process cannot continue."
)
try:
alembic_version = json.loads(
backup.open("db/alembic_version.json").read())
alembic_version = alembic_version["results"][0]["version_num"]
except Exception:
raise Exception(
"Could not determine appropriate database version. This backup cannot be automatically imported."
)
# Check if the alembic version is from CTFd 1.x
if alembic_version in (
"1ec4a28fe0ff",
"2539d8b5082e",
"7e9efd084c5a",
"87733981ca0e",
"a4e30c94c360",
"c12d2a1b0926",
"c7225db614c1",
"cb3cfcc47e2f",
"cbf5620f8e15",
"d5a224bf5862",
"d6514ec92738",
"dab615389702",
"e62fd69bd417",
):
raise Exception(
"The version of CTFd that this backup is from is too old to be automatically imported."
)
sqlite = get_app_config("SQLALCHEMY_DATABASE_URI").startswith("sqlite")
postgres = get_app_config("SQLALCHEMY_DATABASE_URI").startswith("postgres")
mysql = get_app_config("SQLALCHEMY_DATABASE_URI").startswith("mysql")
if erase:
# Clear out existing connections to release any locks
db.session.close()
db.engine.dispose()
# Kill sleeping processes on MySQL so we don't get a metadata lock
# In my testing I didn't find that Postgres or SQLite needed the same treatment
# Only run this when not in tests as we can't isolate the queries out
# This is a very dirty hack. Don't try this at home kids.
if mysql and get_app_config("TESTING", default=False) is False:
url = make_url(get_app_config("SQLALCHEMY_DATABASE_URI"))
r = db.session.execute("SHOW PROCESSLIST")
processes = r.fetchall()
for proc in processes:
if (proc.Command == "Sleep" and proc.User == url.username
and proc.db == url.database):
proc_id = proc.Id
db.session.execute(f"KILL {proc_id}")
# Drop database and recreate it to get to a clean state
drop_database()
create_database()
# We explicitly do not want to upgrade or stamp here.
# The import will have this information.
side_db = dataset.connect(get_app_config("SQLALCHEMY_DATABASE_URI"))
try:
if postgres:
side_db.query("SET session_replication_role=replica;")
else:
side_db.query("SET FOREIGN_KEY_CHECKS=0;")
except Exception:
print("Failed to disable foreign key checks. Continuing.")
first = [
"db/teams.json",
"db/users.json",
"db/challenges.json",
"db/dynamic_challenge.json",
"db/flags.json",
"db/hints.json",
"db/unlocks.json",
"db/awards.json",
"db/tags.json",
"db/submissions.json",
"db/solves.json",
"db/files.json",
"db/notifications.json",
"db/pages.json",
"db/tracking.json",
"db/config.json",
]
# We want to insert certain database tables first so we are specifying
# the order with a list. The leftover tables are tables that are from a
# plugin (more likely) or a table where we do not care about insertion order
for item in first:
if item in members:
members.remove(item)
# Upgrade the database to the point in time that the import was taken from
migration_upgrade(revision=alembic_version)
members.remove("db/alembic_version.json")
# Combine the database insertion code into a function so that we can pause
# insertion between official database tables and plugin tables
def insertion(table_filenames):
for member in table_filenames:
if member.startswith("db/"):
table_name = member[3:-5]
try:
# Try to open a file but skip if it doesn't exist.
data = backup.open(member).read()
except KeyError:
continue
if data:
table = side_db[table_name]
saved = json.loads(data)
for entry in saved["results"]:
# This is a hack to get SQLite to properly accept datetime values from dataset
# See Issue #246
if sqlite:
direct_table = get_class_by_tablename(table.name)
for k, v in entry.items():
if isinstance(v, string_types):
# We only want to apply this hack to columns that are expecting a datetime object
try:
is_dt_column = (type(
getattr(
direct_table,
k).type) == sqltypes.DateTime)
except AttributeError:
is_dt_column = False
# If the table is expecting a datetime, we should check if the string is one and convert it
if is_dt_column:
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d",
v,
)
if match:
entry[
k] = datetime.datetime.strptime(
v, "%Y-%m-%dT%H:%M:%S.%f")
continue
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}",
v)
if match:
entry[
k] = datetime.datetime.strptime(
v, "%Y-%m-%dT%H:%M:%S")
continue
# From v2.0.0 to v2.1.0 requirements could have been a string or JSON because of a SQLAlchemy issue
# This is a hack to ensure we can still accept older exports. See #867
if member in (
"db/challenges.json",
"db/hints.json",
"db/awards.json",
):
requirements = entry.get("requirements")
if requirements and isinstance(
requirements, string_types):
entry["requirements"] = json.loads(
requirements)
try:
table.insert(entry)
except ProgrammingError:
# MariaDB does not like JSON objects and prefers strings because it internally
# represents JSON with LONGTEXT.
# See Issue #973
requirements = entry.get("requirements")
if requirements and isinstance(requirements, dict):
entry["requirements"] = json.dumps(
requirements)
table.insert(entry)
db.session.commit()
if postgres:
# This command is to set the next primary key ID for the re-inserted tables in Postgres. However,
# this command is very difficult to translate into SQLAlchemy code. Because Postgres is not
# officially supported, no major work will go into this functionality.
# https://stackoverflow.com/a/37972960
if '"' not in table_name and "'" not in table_name:
query = "SELECT setval(pg_get_serial_sequence('{table_name}', 'id'), coalesce(max(id)+1,1), false) FROM \"{table_name}\"".format( # nosec
table_name=table_name)
side_db.engine.execute(query)
else:
raise Exception(
"Table name {table_name} contains quotes".
format(table_name=table_name))
# Insert data from official tables
insertion(first)
# Create tables created by plugins
# Run plugin migrations
plugins = get_plugin_names()
for plugin in plugins:
revision = plugin_current(plugin_name=plugin)
plugin_upgrade(plugin_name=plugin, revision=revision, lower=None)
# Insert data for plugin tables
insertion(members)
# Bring plugin tables up to head revision
plugins = get_plugin_names()
for plugin in plugins:
plugin_upgrade(plugin_name=plugin)
# Extracting files
files = [f for f in backup.namelist() if f.startswith("uploads/")]
uploader = get_uploader()
for f in files:
filename = f.split(os.sep, 1)
if (
len(filename) < 2 or os.path.basename(filename[1]) == ""
): # just an empty uploads directory (e.g. uploads/) or any directory
continue
filename = filename[
1] # Get the second entry in the list (the actual filename)
source = backup.open(f)
uploader.store(fileobj=source, filename=filename)
# Alembic sqlite support is lacking so we should just create_all anyway
if sqlite:
app.db.create_all()
stamp_latest_revision()
else:
# Run migrations to bring to latest version
migration_upgrade(revision="head")
# Create any leftover tables, perhaps from old plugins
app.db.create_all()
try:
if postgres:
side_db.query("SET session_replication_role=DEFAULT;")
else:
side_db.query("SET FOREIGN_KEY_CHECKS=1;")
except Exception:
print("Failed to enable foreign key checks. Continuing.")
# Invalidate all cached data
cache.clear()
# Set default theme in case the current instance or the import does not provide it
set_config("ctf_theme", "core")
set_config("ctf_version", CTFD_VERSION)
def setup():
if not config.is_setup():
if not session.get('nonce'):
session['nonce'] = generate_nonce()
if request.method == 'POST':
ctf_name = request.form['ctf_name']
set_config('ctf_name', ctf_name)
# CSS
set_config('start', '')
# Admin user
name = request.form['name']
email = request.form['email']
password = request.form['password']
admin = Admins(name=name,
email=email,
password=password,
type='admin',
hidden=True)
user_mode = request.form['user_mode']
set_config('user_mode', user_mode)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img id="img-logo" class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>NAVY CYBER CONTEST 2019</p>
</h3>
<br>
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route='index', content=index, draft=False)
# Visibility
set_config('challenge_visibility', 'private')
set_config('registration_visibility', 'public')
set_config('score_visibility', 'public')
set_config('account_visibility', 'public')
# Start time
set_config('start', None)
set_config('end', None)
set_config('freeze', None)
# Verify emails
set_config('verify_emails', None)
set_config('mail_server', None)
set_config('mail_port', None)
set_config('mail_tls', None)
set_config('mail_ssl', None)
set_config('mail_username', None)
set_config('mail_password', None)
set_config('mail_useauth', None)
set_config('setup', True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for('views.static_html'))
return render_template('setup.html', nonce=session.get('nonce'))
return redirect(url_for('views.static_html'))
def setup():
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
ctf_name = request.form["ctf_name"]
set_config("ctf_name", ctf_name)
# CSS
set_config("start", "")
# Admin user
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
admin = Admins(name=name,
email=email,
password=password,
type="admin",
hidden=True)
user_mode = request.form["user_mode"]
set_config("user_mode", user_mode)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>A HACKEREARTH CTF platform</p>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Start time
set_config("start", None)
set_config("end", None)
set_config("freeze", None)
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
set_config("setup", True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template("setup.html", nonce=session.get("nonce"))
return redirect(url_for("views.static_html"))
def setup():
if not config.is_setup():
if not session.get('nonce'):
session['nonce'] = generate_nonce()
if request.method == 'POST':
ctf_name = request.form['ctf_name']
set_config('ctf_name', ctf_name)
# CSS
set_config('start', '')
# Admin user
name = request.form['name']
email = request.form['email']
password = request.form['password']
admin = Admins(name=name,
email=email,
password=password,
type='admin',
hidden=True)
user_mode = request.form['user_mode']
set_config('user_mode', user_mode)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="https://californiactf.com/images/logo-cyber.png" />
<h3 class="text-center">
<p>Find our Beginner's Guide <a href="https://tinyurl.com/beginCTF"><strong>here</strong></a></p>
<p>Follow us on social media:</p>
<a href="https://www.facebook.com/events/2336033789966986/"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
<a href="https://discord.gg/8sPVZRb"><i class="fab fa-discord fa-2x" aria-hidden="true"></i></a>
</h3>
</div>
</div>"""
page = Pages(title=None, route='index', content=index, draft=False)
# Visibility
set_config('challenge_visibility', 'private')
set_config('registration_visibility', 'public')
set_config('score_visibility', 'public')
set_config('account_visibility', 'public')
# Start time
set_config('start', None)
set_config('end', None)
set_config('freeze', None)
# Verify emails
set_config('verify_emails', None)
set_config('mail_server', None)
set_config('mail_port', None)
set_config('mail_tls', None)
set_config('mail_ssl', None)
set_config('mail_username', None)
set_config('mail_password', None)
set_config('mail_useauth', None)
setup = set_config('setup', True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for('views.static_html'))
return render_template('setup.html', nonce=session.get('nonce'))
return redirect(url_for('views.static_html'))
def import_ctf(backup, erase=True):
if not zipfile.is_zipfile(backup):
raise zipfile.BadZipfile
if erase:
drop_database()
create_database()
# We explicitly do not want to upgrade or stamp here.
# The import will have this information.
side_db = dataset.connect(get_app_config('SQLALCHEMY_DATABASE_URI'))
sqlite = get_app_config('SQLALCHEMY_DATABASE_URI').startswith('sqlite')
postgres = get_app_config('SQLALCHEMY_DATABASE_URI').startswith('postgres')
backup = zipfile.ZipFile(backup)
members = backup.namelist()
max_content_length = get_app_config('MAX_CONTENT_LENGTH')
for f in members:
if f.startswith('/') or '..' in f:
# Abort on malicious zip files
raise zipfile.BadZipfile
info = backup.getinfo(f)
if max_content_length:
if info.file_size > max_content_length:
raise zipfile.LargeZipFile
first = [
'db/teams.json',
'db/users.json',
'db/challenges.json',
'db/dynamic_challenge.json',
'db/flags.json',
'db/hints.json',
'db/unlocks.json',
'db/awards.json',
'db/tags.json',
'db/submissions.json',
'db/solves.json',
'db/files.json',
'db/notifications.json',
'db/pages.json',
'db/tracking.json',
'db/config.json',
]
for item in first:
if item in members:
members.remove(item)
members = first + members
alembic_version = json.loads(backup.open('db/alembic_version.json').read())["results"][0]["version_num"]
upgrade(revision=alembic_version)
# Create tables created by plugins
try:
app.db.create_all()
except OperationalError as e:
if not postgres:
raise e
else:
print("Allowing error during app.db.create_all() due to Postgres")
members.remove('db/alembic_version.json')
for member in members:
if member.startswith('db/'):
table_name = member[3:-5]
try:
# Try to open a file but skip if it doesn't exist.
data = backup.open(member).read()
except KeyError:
continue
if data:
table = side_db[table_name]
saved = json.loads(data)
for entry in saved['results']:
# This is a hack to get SQLite to properly accept datetime values from dataset
# See Issue #246
if sqlite:
for k, v in entry.items():
if isinstance(v, six.string_types):
match = re.match(r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d", v)
if match:
entry[k] = datetime.datetime.strptime(v, '%Y-%m-%dT%H:%M:%S.%f')
continue
match = re.match(r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}", v)
if match:
entry[k] = datetime.datetime.strptime(v, '%Y-%m-%dT%H:%M:%S')
continue
# From v2.0.0 to v2.1.0 requirements could have been a string or JSON because of a SQLAlchemy issue
# This is a hack to ensure we can still accept older exports. See #867
if member in ('db/challenges.json', 'db/hints.json', 'db/awards.json'):
requirements = entry.get('requirements')
if requirements and isinstance(requirements, six.string_types):
entry['requirements'] = json.loads(requirements)
try:
table.insert(entry)
except ProgrammingError:
# MariaDB does not like JSON objects and prefers strings because it internally
# represents JSON with LONGTEXT.
# See Issue #973
requirements = entry.get('requirements')
if requirements and isinstance(requirements, dict):
entry['requirements'] = json.dumps(requirements)
table.insert(entry)
db.session.commit()
if postgres:
# This command is to set the next primary key ID for the re-inserted tables in Postgres. However,
# this command is very difficult to translate into SQLAlchemy code. Because Postgres is not
# officially supported, no major work will go into this functionality.
# https://stackoverflow.com/a/37972960
if '"' not in table_name and '\'' not in table_name:
query = "SELECT setval(pg_get_serial_sequence('{table_name}', 'id'), coalesce(max(id)+1,1), false) FROM \"{table_name}\"".format( # nosec
table_name=table_name
)
side_db.engine.execute(query)
else:
raise Exception('Table name {table_name} contains quotes'.format(table_name=table_name))
# Extracting files
files = [f for f in backup.namelist() if f.startswith('uploads/')]
uploader = get_uploader()
for f in files:
filename = f.split(os.sep, 1)
if len(filename) < 2: # just an empty uploads directory (e.g. uploads/)
continue
filename = filename[1] # Get the second entry in the list (the actual filename)
source = backup.open(f)
uploader.store(fileobj=source, filename=filename)
# Alembic sqlite support is lacking so we should just create_all anyway
try:
upgrade(revision='head')
except (CommandError, RuntimeError, SystemExit):
app.db.create_all()
stamp()
# Invalidate all cached data
cache.clear()
# Set default theme in case the current instance or the import does not provide it
set_config('ctf_theme', 'core')
def setup():
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
ctf_name = request.form["ctf_name"]
set_config("ctf_name", ctf_name)
# CSS
set_config("start", "")
# Admin user
name = request.form["name"]
password = request.form["password"]
admin = Admins(
name=name, password=password, type="admin", hidden=True
)
user_mode = request.form["user_mode"]
set_config("user_mode", user_mode)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>A cool CTF platform from <a href="https://ctfd.io">ctfd.io</a></p>
<p>Follow us on social media:</p>
<a href="https://twitter.com/ctfdio"><i class="fab fa-twitter fa-2x" aria-hidden="true"></i></a>
<a href="https://facebook.com/ctfdio"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
<a href="https://github.com/ctfd"><i class="fab fa-github fa-2x" aria-hidden="true"></i></a>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>""".format(
request.script_root
)
page = Pages(title=None, route="index", content=index, draft=False)
# Visibility
set_config("challenge_visibility", "private")
set_config("registration_visibility", "public")
set_config("score_visibility", "public")
set_config("account_visibility", "public")
# Start time
set_config("start", None)
set_config("end", None)
set_config("freeze", None)
set_config("setup", True)
secret = Challenges(name='__SECRET__', value=500, type='standard', state='hidden')
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(secret)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
return render_template("setup.html", nonce=session.get("nonce"))
return redirect(url_for("views.static_html"))
def import_ctf(backup, erase=True):
if not zipfile.is_zipfile(backup):
raise zipfile.BadZipfile
if erase:
drop_database()
create_database()
# We explicitly do not want to upgrade or stamp here.
# The import will have this information.
side_db = dataset.connect(get_app_config('SQLALCHEMY_DATABASE_URI'))
sqlite = get_app_config('SQLALCHEMY_DATABASE_URI').startswith('sqlite')
postgres = get_app_config('SQLALCHEMY_DATABASE_URI').startswith('postgres')
backup = zipfile.ZipFile(backup)
members = backup.namelist()
max_content_length = get_app_config('MAX_CONTENT_LENGTH')
for f in members:
if f.startswith('/') or '..' in f:
# Abort on malicious zip files
raise zipfile.BadZipfile
info = backup.getinfo(f)
if max_content_length:
if info.file_size > max_content_length:
raise zipfile.LargeZipFile
first = [
'db/teams.json',
'db/users.json',
'db/challenges.json',
'db/dynamic_challenge.json',
'db/flags.json',
'db/hints.json',
'db/unlocks.json',
'db/awards.json',
'db/tags.json',
'db/submissions.json',
'db/solves.json',
'db/files.json',
'db/notifications.json',
'db/pages.json',
'db/tracking.json',
'db/config.json',
]
for item in first:
if item in members:
members.remove(item)
members = first + members
alembic_version = json.loads(
backup.open(
'db/alembic_version.json').read())["results"][0]["version_num"]
upgrade(revision=alembic_version)
members.remove('db/alembic_version.json')
for member in members:
if member.startswith('db/'):
table_name = member[3:-5]
try:
# Try to open a file but skip if it doesn't exist.
data = backup.open(member).read()
except KeyError:
continue
if data:
table = side_db[table_name]
saved = json.loads(data)
for entry in saved['results']:
# This is a hack to get SQLite to properly accept datetime values from dataset
# See Issue #246
if sqlite:
for k, v in entry.items():
if isinstance(v, six.string_types):
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d",
v)
if match:
entry[k] = datetime.datetime.strptime(
v, '%Y-%m-%dT%H:%M:%S.%f')
continue
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}", v)
if match:
entry[k] = datetime.datetime.strptime(
v, '%Y-%m-%dT%H:%M:%S')
continue
table.insert(entry)
db.session.commit()
if postgres:
# TODO: This should be sanitized even though exports are basically SQL dumps
# Databases are so hard
# https://stackoverflow.com/a/37972960
side_db.engine.execute(
"SELECT setval(pg_get_serial_sequence('{table_name}', 'id'), coalesce(max(id)+1,1), false) FROM {table_name}"
.format(table_name=table_name))
# Extracting files
files = [f for f in backup.namelist() if f.startswith('uploads/')]
uploader = get_uploader()
for f in files:
filename = f.split(os.sep, 1)
if len(filename
) < 2: # just an empty uploads directory (e.g. uploads/)
continue
filename = filename[
1] # Get the second entry in the list (the actual filename)
source = backup.open(f)
uploader.store(fileobj=source, filename=filename)
cache.clear()
def setup():
errors = get_errors()
if not config.is_setup():
if not session.get("nonce"):
session["nonce"] = generate_nonce()
if request.method == "POST":
# General
ctf_name = request.form.get("ctf_name")
ctf_description = request.form.get("ctf_description")
user_mode = request.form.get("user_mode", USERS_MODE)
set_config("ctf_name", ctf_name)
set_config("ctf_description", ctf_description)
set_config("user_mode", user_mode)
# Style
ctf_logo = request.files.get("ctf_logo")
if ctf_logo:
f = upload_file(file=ctf_logo)
set_config("ctf_logo", f.location)
ctf_small_icon = request.files.get("ctf_small_icon")
if ctf_small_icon:
f = upload_file(file=ctf_small_icon)
set_config("ctf_small_icon", f.location)
theme = request.form.get("ctf_theme", DEFAULT_THEME)
set_config("ctf_theme", theme)
theme_color = request.form.get("theme_color")
theme_header = get_config("theme_header")
if theme_color and bool(theme_header) is False:
# Uses {{ and }} to insert curly braces while using the format method
css = (
'<style id="theme-color">\n'
":root {{--theme-color: {theme_color};}}\n"
".navbar{{background-color: var(--theme-color) !important;}}\n"
".jumbotron{{background-color: var(--theme-color) !important;}}\n"
"</style>\n"
).format(theme_color=theme_color)
set_config("theme_header", css)
# DateTime
start = request.form.get("start")
end = request.form.get("end")
set_config("start", start)
set_config("end", end)
set_config("freeze", None)
# Administration
name = request.form["name"]
email = request.form["email"]
password = request.form["password"]
name_len = len(name) == 0
names = Users.query.add_columns("name", "id").filter_by(name=name).first()
emails = (
Users.query.add_columns("email", "id").filter_by(email=email).first()
)
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = validators.validate_email(request.form["email"])
team_name_email_check = validators.validate_email(name)
if not valid_email:
errors.append("Please enter a valid email address")
if names:
errors.append("That user name is already taken")
if team_name_email_check is True:
errors.append("Your user name cannot be an email address")
if emails:
errors.append("That email has already been used")
if pass_short:
errors.append("Pick a longer password")
if pass_long:
errors.append("Pick a shorter password")
if name_len:
errors.append("Pick a longer user name")
if len(errors) > 0:
return render_template(
"setup.html",
errors=errors,
name=name,
email=email,
password=password,
state=serialize(generate_nonce()),
)
admin = Admins(
name=name, email=email, password=password, type="admin", hidden=True
)
# Create an empty index page
page = Pages(title=None, route="index", content="", draft=False)
# Upload banner
default_ctf_banner_location = url_for("views.themes", path="img/logo.png")
ctf_banner = request.files.get("ctf_banner")
if ctf_banner:
f = upload_file(file=ctf_banner, page_id=page.id)
default_ctf_banner_location = url_for("views.files", path=f.location)
# Splice in our banner
index = f"""<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="{default_ctf_banner_location}" />
<h3 class="text-center">
<p>A cool CTF platform from <a href="https://ctfd.io">ctfd.io</a></p>
<p>Follow us on social media:</p>
<a href="https://twitter.com/ctfdio"><i class="fab fa-twitter fa-2x" aria-hidden="true"></i></a>
<a href="https://facebook.com/ctfdio"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
<a href="https://github.com/ctfd"><i class="fab fa-github fa-2x" aria-hidden="true"></i></a>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>"""
page.content = index
# Visibility
set_config(
ConfigTypes.CHALLENGE_VISIBILITY, ChallengeVisibilityTypes.PRIVATE
)
set_config(
ConfigTypes.REGISTRATION_VISIBILITY, RegistrationVisibilityTypes.PUBLIC
)
set_config(ConfigTypes.SCORE_VISIBILITY, ScoreVisibilityTypes.PUBLIC)
set_config(ConfigTypes.ACCOUNT_VISIBILITY, AccountVisibilityTypes.PUBLIC)
# Verify emails
set_config("verify_emails", None)
set_config("mail_server", None)
set_config("mail_port", None)
set_config("mail_tls", None)
set_config("mail_ssl", None)
set_config("mail_username", None)
set_config("mail_password", None)
set_config("mail_useauth", None)
# Set up default emails
set_config("verification_email_subject", DEFAULT_VERIFICATION_EMAIL_SUBJECT)
set_config("verification_email_body", DEFAULT_VERIFICATION_EMAIL_BODY)
set_config(
"successful_registration_email_subject",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_SUBJECT,
)
set_config(
"successful_registration_email_body",
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_BODY,
)
set_config(
"user_creation_email_subject", DEFAULT_USER_CREATION_EMAIL_SUBJECT
)
set_config("user_creation_email_body", DEFAULT_USER_CREATION_EMAIL_BODY)
set_config("password_reset_subject", DEFAULT_PASSWORD_RESET_SUBJECT)
set_config("password_reset_body", DEFAULT_PASSWORD_RESET_BODY)
set_config(
"password_change_alert_subject",
"Password Change Confirmation for {ctf_name}",
)
set_config(
"password_change_alert_body",
(
"Your password for {ctf_name} has been changed.\n\n"
"If you didn't request a password change you can reset your password here: {url}"
),
)
set_config("setup", True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
with app.app_context():
cache.clear()
return redirect(url_for("views.static_html"))
try:
return render_template("setup.html", state=serialize(generate_nonce()))
except TemplateNotFound:
# Set theme to default and try again
set_config("ctf_theme", DEFAULT_THEME)
return render_template("setup.html", state=serialize(generate_nonce()))
return redirect(url_for("views.static_html"))
def import_ctf(backup, erase=True):
if not zipfile.is_zipfile(backup):
raise zipfile.BadZipfile
backup = zipfile.ZipFile(backup)
members = backup.namelist()
max_content_length = get_app_config("MAX_CONTENT_LENGTH")
for f in members:
if f.startswith("/") or ".." in f:
# Abort on malicious zip files
raise zipfile.BadZipfile
info = backup.getinfo(f)
if max_content_length:
if info.file_size > max_content_length:
raise zipfile.LargeZipFile
try:
alembic_version = json.loads(
backup.open("db/alembic_version.json").read())
alembic_version = alembic_version["results"][0]["version_num"]
except Exception:
raise Exception(
"Could not determine appropriate database version. This backup cannot be automatically imported."
)
# Check if the alembic version is from CTFd 1.x
if alembic_version in (
"1ec4a28fe0ff",
"2539d8b5082e",
"7e9efd084c5a",
"87733981ca0e",
"a4e30c94c360",
"c12d2a1b0926",
"c7225db614c1",
"cb3cfcc47e2f",
"cbf5620f8e15",
"d5a224bf5862",
"d6514ec92738",
"dab615389702",
"e62fd69bd417",
):
raise Exception(
"The version of CTFd that this backup is from is too old to be automatically imported."
)
if erase:
drop_database()
create_database()
# We explicitly do not want to upgrade or stamp here.
# The import will have this information.
side_db = dataset.connect(get_app_config("SQLALCHEMY_DATABASE_URI"))
sqlite = get_app_config("SQLALCHEMY_DATABASE_URI").startswith("sqlite")
postgres = get_app_config("SQLALCHEMY_DATABASE_URI").startswith("postgres")
try:
if postgres:
side_db.query("SET session_replication_role=replica;")
else:
side_db.query("SET FOREIGN_KEY_CHECKS=0;")
except Exception:
print("Failed to disable foreign key checks. Continuing.")
first = [
"db/teams.json",
"db/users.json",
"db/challenges.json",
"db/dynamic_challenge.json",
"db/flags.json",
"db/hints.json",
"db/unlocks.json",
"db/awards.json",
"db/tags.json",
"db/submissions.json",
"db/solves.json",
"db/files.json",
"db/notifications.json",
"db/pages.json",
"db/tracking.json",
"db/config.json",
]
for item in first:
if item in members:
members.remove(item)
members = first + members
upgrade(revision=alembic_version)
# Create tables created by plugins
try:
app.db.create_all()
except OperationalError as e:
if not postgres:
raise e
else:
print("Allowing error during app.db.create_all() due to Postgres")
members.remove("db/alembic_version.json")
for member in members:
if member.startswith("db/"):
table_name = member[3:-5]
try:
# Try to open a file but skip if it doesn't exist.
data = backup.open(member).read()
except KeyError:
continue
if data:
table = side_db[table_name]
saved = json.loads(data)
for entry in saved["results"]:
# This is a hack to get SQLite to properly accept datetime values from dataset
# See Issue #246
if sqlite:
for k, v in entry.items():
if isinstance(v, six.string_types):
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d",
v)
if match:
entry[k] = datetime.datetime.strptime(
v, "%Y-%m-%dT%H:%M:%S.%f")
continue
match = re.match(
r"\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}", v)
if match:
entry[k] = datetime.datetime.strptime(
v, "%Y-%m-%dT%H:%M:%S")
continue
# From v2.0.0 to v2.1.0 requirements could have been a string or JSON because of a SQLAlchemy issue
# This is a hack to ensure we can still accept older exports. See #867
if member in (
"db/challenges.json",
"db/hints.json",
"db/awards.json",
):
requirements = entry.get("requirements")
if requirements and isinstance(requirements,
six.string_types):
entry["requirements"] = json.loads(requirements)
try:
table.insert(entry)
except ProgrammingError:
# MariaDB does not like JSON objects and prefers strings because it internally
# represents JSON with LONGTEXT.
# See Issue #973
requirements = entry.get("requirements")
if requirements and isinstance(requirements, dict):
entry["requirements"] = json.dumps(requirements)
table.insert(entry)
db.session.commit()
if postgres:
# This command is to set the next primary key ID for the re-inserted tables in Postgres. However,
# this command is very difficult to translate into SQLAlchemy code. Because Postgres is not
# officially supported, no major work will go into this functionality.
# https://stackoverflow.com/a/37972960
if '"' not in table_name and "'" not in table_name:
query = "SELECT setval(pg_get_serial_sequence('{table_name}', 'id'), coalesce(max(id)+1,1), false) FROM \"{table_name}\"".format( # nosec
table_name=table_name)
side_db.engine.execute(query)
else:
raise Exception(
"Table name {table_name} contains quotes".format(
table_name=table_name))
# Extracting files
files = [f for f in backup.namelist() if f.startswith("uploads/")]
uploader = get_uploader()
for f in files:
filename = f.split(os.sep, 1)
if len(filename
) < 2: # just an empty uploads directory (e.g. uploads/)
continue
filename = filename[
1] # Get the second entry in the list (the actual filename)
source = backup.open(f)
uploader.store(fileobj=source, filename=filename)
# Alembic sqlite support is lacking so we should just create_all anyway
try:
upgrade(revision="head")
except (OperationalError, CommandError, RuntimeError, SystemExit,
Exception):
app.db.create_all()
stamp_latest_revision()
try:
if postgres:
side_db.query("SET session_replication_role=DEFAULT;")
else:
side_db.query("SET FOREIGN_KEY_CHECKS=1;")
except Exception:
print("Failed to enable foreign key checks. Continuing.")
# Invalidate all cached data
cache.clear()
# Set default theme in case the current instance or the import does not provide it
set_config("ctf_theme", "core")
def setup():
if not config.is_setup():
if not session.get('nonce'):
session['nonce'] = generate_nonce()
if request.method == 'POST':
ctf_name = request.form['ctf_name']
set_config('ctf_name', ctf_name)
# CSS
set_config('start', '')
# Admin user
name = request.form['name']
email = request.form['email']
password = request.form['password']
admin = Admins(name=name,
email=email,
password=password,
type='admin',
hidden=True)
user_mode = request.form['user_mode']
set_config('user_mode', user_mode)
# Index page
index = """<div class="row">
<div class="col-md-6 offset-md-3">
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
<h3 class="text-center">
<p>A cool CTF platform from <a href="https://ctfd.io">ctfd.io</a></p>
<p>Follow us on social media:</p>
<a href="https://twitter.com/ctfdio"><i class="fab fa-twitter fa-2x" aria-hidden="true"></i></a>
<a href="https://facebook.com/ctfdio"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
<a href="https://github.com/ctfd"><i class="fab fa-github fa-2x" aria-hidden="true"></i></a>
</h3>
<br>
<h4 class="text-center">
<a href="admin">Click here</a> to login and setup your CTF
</h4>
</div>
</div>""".format(request.script_root)
page = Pages(title=None, route='index', content=index, draft=False)
# Visibility
set_config('challenge_visibility', 'private')
set_config('registration_visibility', 'public')
set_config('score_visibility', 'public')
set_config('account_visibility', 'public')
# Start time
set_config('start', None)
set_config('end', None)
set_config('freeze', None)
# Verify emails
set_config('verify_emails', None)
set_config('mail_server', None)
set_config('mail_port', None)
set_config('mail_tls', None)
set_config('mail_ssl', None)
set_config('mail_username', None)
set_config('mail_password', None)
set_config('mail_useauth', None)
setup = set_config('setup', True)
try:
db.session.add(admin)
db.session.commit()
except IntegrityError:
db.session.rollback()
try:
db.session.add(page)
db.session.commit()
except IntegrityError:
db.session.rollback()
login_user(admin)
db.session.close()
app.setup = False
with app.app_context():
cache.clear()
return redirect(url_for('views.static_html'))
return render_template('setup.html', nonce=session.get('nonce'))
return redirect(url_for('views.static_html'))
