Patched: "/tmp/tmpt9k6l_9r/introduction/mitre.py"

patched.codes[bot] · patched.codes[bot] · commit a1c8ef6cfef0 · 2024-05-06T10:12:41.000Z
diff --git a/introduction/mitre.py b/introduction/mitre.py
@@ -1,4 +1,8 @@
 import datetime
+from django.core.exceptions import ImproperlyConfigured
+import ast
+import operator as op
+import shlex
 import re
 import subprocess
 from hashlib import md5
@@ -158,21 +162,32 @@ def csrf_lab_login(request):
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+        # Use SHA-256 instead of MD5 for password hashing
+        password = sha256(password.encode()).hexdigest()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            # Ensure the secret key is not hardcoded and is sufficiently random
+            secret_key = get_secret_key()
+            cookie = jwt.encode(payload, secret_key, algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            # Set the 'secure' attribute for the cookie to ensure it's only sent over HTTPS
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True)
             return response
         else :
             return redirect('/mitre/9/lab/login')
 
+def get_secret_key():
+    # Retrieve the secret key from a secure configuration or environment variable
+    secret_key = os.environ.get('JWT_SECRET_KEY')
+    if not secret_key:
+        raise ImproperlyConfigured('Missing secret key for JWT encoding')
+    return secret_key
+
 @authentication_decorator
 @csrf_exempt
 def csrf_transfer_monei(request):
@@ -209,14 +224,46 @@ def csrf_transfer_monei_api(request,recipent,amount):
     else:
         return redirect ('/mitre/9/lab/transaction')
 
-
 # @authentication_decorator
 @csrf_exempt
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
-        return JsonResponse({'result': result})
+
+        # Define supported operators
+        allowed_operators = {ast.Add: op.add, ast.Sub: op.sub, ast.Mult: op.mul,
+                             ast.Div: op.truediv, ast.Pow: op.pow, ast.BitXor: op.xor,
+                             ast.USub: op.neg}
+
+        def eval_expr(expr):
+            """
+            Safely evaluate an arithmetic expression using ast module
+            """
+            try:
+                parsed_expr = ast.parse(expr, mode='eval').body
+                return eval_(parsed_expr)
+            except (ValueError, SyntaxError):
+                raise ValueError("Invalid input")
+
+        def eval_(node):
+            if isinstance(node, ast.Num):  # <number>
+                return node.n
+            elif isinstance(node, ast.BinOp):  # <left> <operator> <right>
+                if type(node.op) not in allowed_operators:
+                    raise ValueError("Unsupported operator")
+                return allowed_operators[type(node.op)](eval_(node.left), eval_(node.right))
+            elif isinstance(node, ast.UnaryOp):  # <operator> <operand> e.g., -1
+                if type(node.op) not in allowed_operators:
+                    raise ValueError("Unsupported operator")
+                return allowed_operators[type(node.op)](eval_(node.operand))
+            else:
+                raise TypeError("Unsupported type")
+
+        try:
+            result = eval_expr(expression)
+            return JsonResponse({'result': result})
+        except ValueError as e:
+            return JsonResponse({'error': str(e)}, status=400)
     else:
         return redirect('/mitre/25/lab/')
 
@@ -230,9 +277,9 @@ def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
 
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    safe_command = shlex.split(command)
+    process = subprocess.Popen(safe_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
-    
 
 @csrf_exempt
 def mitre_lab_17_api(request):
