def test_get_vulnweb_evidence(vulnerability_web_factory, depotfile, session):
# Use vuln web to ensure its parent is a service and not a host
all_vulns = vulnerability_web_factory.create_batch(10)
session.commit()
vuln = all_vulns[0]
correct_file = File(filename='faraday.png',
object_id=vuln.id,
object_type='vulnerability',
content=depotfile)
session.add(
File(filename='faraday.png',
object_id=vuln.service_id,
object_type='service',
content=depotfile))
session.add(correct_file)
for other_vuln in all_vulns[1:]:
session.add(
File(filename='faraday.png',
object_id=other_vuln.id,
object_type='vulnerability',
content=depotfile))
session.add(
File(filename='faraday.png',
object_id=other_vuln.service_id,
object_type='service',
content=depotfile))
session.commit()
assert vuln.evidence == [correct_file]
def upload_file():
if request.method == 'POST' and 'file' in request.files:
f = request.files.get('file')
#filename = rename_image(f.filename)
filename = f.filename
print("filename:", filename)
f.save(os.path.join(current_app.config['ABE_UPLOAD_PATH'], filename))
ext = os.path.splitext(filename)[1]
if ext != ".jpg" and ext != ".png":
print("not image")
file = File(filename=filename,
author=current_user._get_current_object()
# timestamp = fake.date_time_this_year()
)
db.session.add(file)
db.session.commit()
else:
filename_s = resize_image(
f, filename, current_app.config['ABE_PHOTO_SIZE']['small'])
filename_m = resize_image(
f, filename, current_app.config['ABE_PHOTO_SIZE']['medium'])
photo = Photo(filename=filename,
filename_s=filename_s,
filename_m=filename_m,
author=current_user._get_current_object())
db.session.add(photo)
db.session.commit()
print("test, inter uplaod file, type f is :", type(f))
return render_template('main/upload.html')
def test_add_vulnweb_evidence(vulnerability_web, depotfile, session):
session.commit()
file_ = File(filename='faraday.png', content=depotfile)
vulnerability_web.evidence.append(file_)
session.commit()
assert len(vulnerability_web.evidence) == 1
assert vulnerability_web.evidence[0].object_type == 'vulnerability'
assert vulnerability_web.evidence[0].object_id == vulnerability_web.id
def fake_file(count=10):
# photos
upload_path = current_app.config['ABE_UPLOAD_PATH']
i = random.randint(1, count)
filename = 'random_%d.txt' % i
file = File(description=fake.text(),
filename=filename,
author=User.query.get(random.randint(1, User.query.count())),
timestamp=fake.date_time_this_year())
db.session.add(file)
print("add file ok.")
db.session.commit()
async def get_file_by_id_or_filename(self, id_or_filename):
query = "SELECT * FROM files WHERE id=$1 OR filename=$1;"
record = await self.pool.fetchrow(query, id_or_filename)
if not record:
return None
return File(
id=record["id"],
filename=record["filename"],
user_id=record["user_id"],
views=record["views"],
uploaded_at=record["uploaded_at"],
state=self.app,
)
async def get_files(self, *, user_id=None):
if user_id:
query = "SELECT * FROM files WHERE user_id=$1 ORDER BY uploaded_at DESC;"
records = await self.pool.fetch(query, user_id)
else:
query = "SELECT * FROM files ORDER BY uploaded_at DESC;"
records = await self.pool.fetch(query)
if not records:
return []
return [
File(
id=record["id"],
filename=record["filename"],
user_id=record["user_id"],
views=record["views"],
uploaded_at=record["uploaded_at"],
state=self.app,
) for record in records
]
def get_or_create_file(data):
auth_token = data.get('auth_token')
user = User.query.filter_by(user_id=get_user_by_auth_token(auth_token)).first()
sample = get_or_create_sample(data.get('sample_name'), user.user_id)
access = Access.query.filter_by(auth_token=auth_token).first()
file = File.query.filter_by(identifier=data.get('identifier')).first()
if not file:
file = File()
file.identifier = data.get('identifier')
file.filename = data.get('filename')
file.total_size = data.get('total_size')
file.file_type = data.get('file_type')
file.user_id = user.user_id
file.access_id = access.id
file.readset = data.get('readset')
file.platform = data.get('platform')
file.run_type = data.get('run_type')
file.capture_kit = data.get('capture_kit')
file.library = data.get('library')
file.reference = data.get('reference')
file.upload_status = 'ongoing'
file.upload_start_date = dt.datetime.today()
file.is_archived = 0
# Attach the file to this sample and access objects
sample.files.append(file)
access.files.append(file)
db.session.add(file)
db.session.commit()
return file
def file_upload():
'''
파일 업로드
upload file path
:원본 파일: server/uploads/<projName>/origin/<filename>
:비교 파일: server/uploads/<projName>/compare/<filename>
'''
global origin_file
global comp_file
if not session['projID'] or session['projID'] is None:
return redirect(url_for('dashboard'))
else:
projID = session['projID']
project = Project.query.get(projID)
projName = project.projName
if request.method == 'POST':
post_type = request.form.get('post_type')
if not post_type:
file = request.files['file']
if file and allowed_file(file.filename):
filename = secure_filename(file.filename)
file_type = request.form.get('file_type')
if file_type == "origin_file":
if not os.path.exists(
join(app.config['UPLOAD_FOLDER'], projID,
'origin')):
os.makedirs(
join(app.config['UPLOAD_FOLDER'], projID,
'origin'))
file.save(
join(app.config['UPLOAD_FOLDER'], projID, 'origin',
filename))
origin_file = join(app.config['UPLOAD_FOLDER'], projID,
'origin', filename)
elif file_type == "compare_file":
if not os.path.exists(
join(app.config['UPLOAD_FOLDER'], projID,
'compare')):
os.makedirs(
join(app.config['UPLOAD_FOLDER'], projID,
'compare'))
file.save(
join(app.config['UPLOAD_FOLDER'], projID,
'compare', filename))
# comp_file = zipfile.ZipFile(os.path.join(app.config['UPLOAD_FOLDER'], projName, 'compare', filename))
comp_file = join(app.config['UPLOAD_FOLDER'], projID,
'compare', filename)
else:
print("upload type error", file=sys.stderr)
else:
print("only zip file", file=sys.stderr)
elif post_type == 'file_upload':
if not origin_file or not comp_file:
# file miss
print("no file", file=sys.stderr)
pass
else:
origin_file = zipfile.ZipFile(origin_file)
comp_file = zipfile.ZipFile(comp_file)
origin_file.extractall(
join(app.config['UPLOAD_FOLDER'], projID, 'origin',
'files'))
comp_file.extractall(
join(app.config['UPLOAD_FOLDER'], projID, 'compare',
'files'))
origin_path = join(app.config['UPLOAD_FOLDER'], projID,
'origin', 'files')
comp_path = join(app.config['UPLOAD_FOLDER'], projID,
'compare', 'files')
file_data = File(origin_path, comp_path)
if not File.query.filter(
File.originPath == origin_path).filter(
File.compPath == comp_path).first():
db.session.add(file_data)
db.session.commit()
file_data = File.query.filter(
File.originPath == origin_path).first()
project.fileNum = file_data.fileID
db.session.commit()
return redirect(url_for('tuple'))
else:
pass
else:
pass
return render_template('/file_upload.html',
projName=projName,
origin_file=origin_file,
comp_file=comp_file)
def get_or_create_file(data):
auth_token = data.get('auth_token')
user = User.query.filter_by(
user_id=get_user_by_auth_token(auth_token)).first()
sample = get_or_create_sample(data.get('sample_name'), user.user_id)
access = Access.query.filter_by(auth_token=auth_token).first()
file = File.query.filter_by(identifier=data.get('identifier')).first()
if not file:
file = File()
file.identifier = data.get('identifier')
file.filename = data.get('filename')
file.total_size = data.get('total_size')
file.file_type = data.get('file_type')
file.user_id = user.user_id
file.access_id = access.id
file.readset = data.get('readset')
file.platform = data.get('platform')
file.run_type = data.get('run_type')
file.capture_kit = data.get('capture_kit')
file.library = data.get('library')
file.reference = data.get('reference')
file.upload_status = 'ongoing'
file.upload_start_date = dt.datetime.today()
file.is_archived = 0
# Attach the file to this sample and access objects
sample.files.append(file)
access.files.append(file)
db.session.add(file)
db.session.commit()
return file
def populate(self, workspace, service, session, user,
vulnerability_factory, credential_factory,
empty_command_factory):
session.commit()
self.session = session
assert service.workspace_id == workspace.id
workspace.set_scope(['*.infobytesec.com', '192.168.1.0/24'])
self.user = user
self.workspace = workspace
self.permission = WorkspacePermission(user=user, workspace=workspace)
session.add(self.permission)
self.host = service.host
self.host.set_hostnames(['a.com', 'b.com'])
self.service = service
self.host_cred = credential_factory.create(
host=self.host,
service=None,
workspace=workspace,
creator=user,
)
self.service_cred = credential_factory.create(
host=None,
service=service,
workspace=workspace,
creator=user,
)
self.host_vuln = vulnerability_factory.create(
host=self.host,
service=None,
workspace=workspace,
creator=user,
)
self.service_vuln = vulnerability_factory.create(
host=None,
service=service,
workspace=workspace,
creator=user,
)
session.flush()
for vuln in [self.host_vuln, self.service_vuln]:
vuln.references = ['CVE-1234', 'CVE-4331']
vuln.policy_violations = ["PCI-DSS"]
self.attachment = File(
name='test.png',
filename='test.png',
content='test',
object_type='vulnerability',
object_id=self.service_vuln.id,
creator=user,
)
self.session.add(self.attachment)
self.host_attachment = File(
name='test.png',
filename='test.png',
content='test',
object_type='host',
object_id=self.host.id,
creator=user,
)
self.session.add(self.host_attachment)
self.comment = Comment(
text="test",
object_type='host',
object_id=self.host.id,
workspace=self.workspace,
creator=user,
)
self.session.add(self.comment)
self.reply_comment = Comment(
text="ok",
object_type='host',
object_id=self.host.id,
workspace=self.workspace,
reply_to=self.comment,
creator=user,
)
self.command = empty_command_factory.create(workspace=workspace,
creator=user)
CommandObject.create(self.host_vuln, self.command)
CommandObject.create(self.service_vuln, self.command)
self.methodology_template = MethodologyTemplate(name="test", )
session.add(self.methodology_template)
self.methodology_template_task = TaskTemplate(
name="aaaa", template=self.methodology_template)
session.add(self.methodology_template)
self.methodology = Methodology(name="test",
template=self.methodology_template,
workspace=self.workspace)
session.add(self.methodology)
self.methodology_task = Task(name="aaaa",
workspace=self.workspace,
template=self.methodology_template_task,
methodology=self.methodology)
session.add(self.methodology_template_task)
self.methodology_task_assigned = TaskAssignedTo(
task=self.methodology_task,
user=self.user,
)
session.add(self.methodology_task_assigned)
session.commit()
def post(self, request):
bodyUnicode = request.body.decode('utf-8')
jsonRequestData = json.loads(bodyUnicode)
fileName = jsonRequestData.get("name", "")
fileContent = jsonRequestData.get("content", "")
username = jsonRequestData.get("username", "")
password = jsonRequestData.get("password", "")
# Check user authentication
user = authenticate(username=username, password=password)
if (user is None):
return JsonResponse({
"status":
"error",
"message":
"Autenticação falhou. Utilizador ou password errados."
})
file = File()
file.setName(fileName)
file.setContent(fileContent)
file.setOwner(user)
try:
file.save()
except Exception as ex:
return JsonResponse({
'status':
"error",
"message":
"Ocorreu um erro ao criar o ficheiro. " + str(ex)
})
return JsonResponse({
'status': "success",
'file': {
'id': file.getId(),
'name': file.getName(),
'owner': file.getOwner().getId(),
"corrupted": file.isCorrupted(),
'permissions': {
'read': True,
'write': True,
},
}
})