def generate_user_token(user, expiration=None):
temp_token = True
while temp_token is not None:
value = hexencode(os.urandom(32))
temp_token = UserTokens.query.filter_by(value=value).first()
token = UserTokens(user_id=user.id,
expiration=expiration,
value=hexencode(os.urandom(32)))
db.session.add(token)
db.session.commit()
return token
def test_hexencode():
value = '303132333435363738396162636465666768696a6b6c6d6e6f7071727374757677' \
'78797a4142434445464748494a4b4c4d4e4f505152535455565758595a21222324' \
'25262728292a2b2c2d2e2f3a3b3c3d3e3f405b5c5d5e5f607b7c7d7e20090a0d0b0c'
if six.PY3:
value = value.encode('utf-8')
assert hexencode(string.printable) == value
def upload(self, file_obj, filename):
if len(filename) == 0:
raise Exception("Empty filenames cannot be used")
filename = secure_filename(filename)
md5hash = hexencode(os.urandom(16)).decode("utf-8")
file_path = os.path.join(md5hash, filename)
return self.store(file_obj, file_path)
def upload(self, file_obj, filename):
filename = filter(self._clean_filename,
secure_filename(filename).replace(" ", "_"))
filename = "".join(filename)
if len(filename) <= 0:
return False
md5hash = hexencode(os.urandom(16))
dst = md5hash + "/" + filename
return self.store(file_obj, dst)
def upload(self, file_obj, filename):
filename = filter(self._clean_filename,
secure_filename(filename).replace(" ", "_"))
filename = "".join(filename)
if len(filename) <= 0:
return False
md5hash = hexencode(os.urandom(16)).decode("utf-8")
dst = md5hash + "/" + filename
self.s3.upload_fileobj(file_obj, self.bucket, dst)
return dst
def upload(self, file_obj, filename):
filename = filter(self._clean_filename,
secure_filename(filename).replace(' ', '_'))
filename = ''.join(filename)
if len(filename) <= 0:
return False
md5hash = hexencode(os.urandom(16)).decode('utf-8')
dst = md5hash + '/' + filename
self.s3.upload_fileobj(file_obj, self.bucket, dst)
return dst
def test_user_can_access_files_if_view_after_ctf():
app = create_ctfd()
with app.app_context():
from CTFd.utils.uploads import rmdir
chal = gen_challenge(app.db)
chal_id = chal.id
path = app.config.get("UPLOAD_FOLDER")
md5hash = hexencode(os.urandom(16))
location = os.path.join(path, md5hash, "test.txt")
directory = os.path.dirname(location)
model_path = os.path.join(md5hash, "test.txt")
try:
os.makedirs(directory)
with open(location, "wb") as obj:
obj.write("testing file load".encode())
gen_file(app.db, location=model_path, challenge_id=chal_id)
register_user(app)
with login_as_user(app) as client:
req = client.get("/api/v1/challenges/1")
data = req.get_json()
file_url = data["data"]["files"][0]
# After ctf end
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
set_config("view_after_ctf", True)
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
# Unauthed users should be able to download if view_after_ctf
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally:
rmdir(directory)
destroy_ctfd(app)
def upload_file(commitList, TYPE, filename, challenge_id=None):
"""
Upload file to random hashstring folder
"""
secFilename = secure_filename(filename[filename.rfind('/') + 1:])
fileFolder = hexencode(os.urandom(16))
folderPath = posixpath.join('/', 'var', 'uploads', fileFolder)
filePath = posixpath.join(folderPath, secFilename)
fileLocation = posixpath.join(fileFolder, secFilename)
# Make folder to contain file
os.makedirs(folderPath)
# Copy file into folder
shutil.copyfile('OCD/' + filename, filePath)
# Add file to queries
commitList.append(Files(TYPE, fileLocation, challenge_id))
# Return path to file
return fileLocation
def generate_nonce():
return hexencode(os.urandom(32)).decode('utf-8')
def test_user_can_access_files_with_auth_token():
app = create_ctfd()
with app.app_context():
from CTFd.utils.uploads import rmdir
chal = gen_challenge(app.db)
chal_id = chal.id
path = app.config.get("UPLOAD_FOLDER")
md5hash = hexencode(os.urandom(16)).decode("utf-8")
location = os.path.join(path, md5hash, "test.txt")
directory = os.path.dirname(location)
model_path = os.path.join(md5hash, "test.txt")
try:
os.makedirs(directory)
with open(location, "wb") as obj:
obj.write("testing file load".encode())
gen_file(app.db, location=model_path, challenge_id=chal_id)
url = url_for("views.files", path=model_path)
register_user(app)
with login_as_user(app) as client:
req = client.get("/api/v1/challenges/1")
data = req.get_json()
file_url = data["data"]["files"][0]
with app.test_client() as client:
r = client.get(url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
r = client.get(
url_for(
"views.files",
path=model_path,
token="random_token_that_shouldnt_work",
)
)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
# Unauthed users shouldn't be able to see files if the CTF is admins only
set_config("challenge_visibility", "admins")
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
set_config("challenge_visibility", "private")
with freeze_time("2017-10-5"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("start", "1507262400")
# Unauthed users shouldn't be able to see files if the CTF hasn't started
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
with freeze_time("2017-10-5"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("start", "1507262400")
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users shouldn't be able to see files if the CTF hasn't started
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Authed users shouldn't be able to see files if the CTF hasn't started
client = login_as_user(app)
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Admins should be able to see files if the CTF hasn't started
admin = login_as_user(app, "admin")
r = admin.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users shouldn't be able to see files if the CTF has ended
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Authed users shouldn't be able to see files if the CTF has ended
client = login_as_user(app)
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Admins should be able to see files if the CTF has ended
admin = login_as_user(app, "admin")
r = admin.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally:
rmdir(directory)
destroy_ctfd(app)
def test_user_can_access_files_with_auth_token():
app = create_ctfd()
with app.app_context():
from CTFd.utils.uploads import rmdir
chal = gen_challenge(app.db)
chal_id = chal.id
path = app.config.get('UPLOAD_FOLDER')
md5hash = hexencode(os.urandom(16)).decode('utf-8')
location = os.path.join(path, md5hash, 'test.txt')
directory = os.path.dirname(location)
model_path = os.path.join(md5hash, 'test.txt')
try:
os.makedirs(directory)
with open(location, 'wb') as obj:
obj.write('testing file load'.encode())
gen_file(app.db, location=model_path, challenge_id=chal_id)
url = url_for('views.files', path=model_path)
register_user(app)
with login_as_user(app) as client:
req = client.get('/api/v1/challenges/1')
data = req.get_json()
file_url = data['data']['files'][0]
with app.test_client() as client:
r = client.get(url)
assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load'
r = client.get(
url_for('views.files',
path=model_path,
token="random_token_that_shouldnt_work"))
assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load'
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == 'testing file load'
# Unauthed users shouldn't be able to see files if the CTF is admins only
set_config('challenge_visibility', 'admins')
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load'
set_config('challenge_visibility', 'private')
with freeze_time("2017-10-7"):
set_config(
'end', '1507262400'
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
# Unauthed users shouldn't be able to see files if the CTF hasn't started
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != 'testing file load'
finally:
rmdir(directory)
destroy_ctfd(app)
def generate_nonce():
return hexencode(os.urandom(32))