Patched introduction/mitre.py

patched.codes[bot] · patched.codes[bot] · commit 4395e7e3524f · 2024-05-28T16:43:11.000+08:00
diff --git a/introduction/mitre.py b/introduction/mitre.py
@@ -150,6 +150,13 @@ def mitre_top24(request):
 def mitre_top25(request):
     if request.method == 'GET':
         return render(request, 'mitre/mitre_top25.html')
+import os
+import hashlib
+import secrets
+from django.shortcuts import render, redirect
+import jwt
+from .models import CSRF_user_tbl
+from datetime import datetime, timedelta
 
 @authentication_decorator
 def csrf_lab_login(request):
@@ -158,23 +165,33 @@ def csrf_lab_login(request):
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
-        User = CSRF_user_tbl.objects.filter(username=username, password=password)
+        salt = secrets.token_bytes(16)
+        password_hash = hashlib.scrypt(password.encode(), salt=salt, n=16384, r=8, p=1)
+        User = CSRF_user_tbl.objects.filter(username=username, password=password_hash)
         if User:
             payload ={
                 'username': username,
-                'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
-                'iat': datetime.datetime.utcnow()
+                'exp': datetime.utcnow() + timedelta(seconds=300),
+                'iat': datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            jwt_secret = os.environ.get('JWT_SECRET')
+            if not jwt_secret:
+                raise ValueError("JWT_SECRET environment variable not set")
+            cookie = jwt.encode(payload, jwt_secret, algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
         else :
             return redirect('/mitre/9/lab/login')
+from django.shortcuts import render, redirect
+from django.views.decorators.csrf import ensure_csrf_cookie
+from .models import CSRF_user_tbl
+import jwt
+from .auth import authentication_decorator
+
 
 @authentication_decorator
-@csrf_exempt
+@ensure_csrf_cookie
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
@@ -188,6 +205,7 @@ def csrf_transfer_monei(request):
         except:
             return redirect('/mitre/9/lab/login')
 
+
 def csrf_transfer_monei_api(request,recipent,amount):
     if request.method == "GET":
         cookie = request.COOKIES['auth_cookiee']
