PatchWork AutoFix

docker-compose.yml

@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
   web:
     build: .
     image: pygoat/pygoat
@@ -20,10 +23,16 @@ services:
     depends_on:
       - migration
       - db
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true
   migration:
     image: pygoat/pygoat
     command: python pygoat/manage.py migrate --noinput
     volumes:
       - .:/app
     depends_on:
       - db
+    security_opt:
+      - "no-new-privileges:true"
+    read_only: true

introduction/apis.py

@@ -58,36 +58,44 @@ def ssrf_code_checker(request):
 
 @csrf_exempt
 # @authentication_decorator
+import os
+
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
         log_code = request.POST.get('log_code')
         api_code = request.POST.get('api_code')
+
+        # Sanitize user-controlled data before writing to files
+        log_code = log_code[:1000]  # Limit to 1000 characters
+        api_code = api_code[:1000]  # Limit to 1000 characters
+
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
-        f = open(log_filename,"w")
-        f.write(log_code)
-        f.close()
-        f = open(api_filename,"w")
-        f.write(api_code)
-        f.close()
+
+        with open(log_filename, "w") as f:
+            f.write(log_code)
+        with open(api_filename, "w") as f:
+            f.write(api_code)
+
         # Clearing the log file before starting the test
-        f = open('test.log', 'w')
-        f.write("")
-        f.close()
+        with open('test.log', 'w') as f:
+            f.write("")
+
         url = "http://127.0.0.1:8000/2021/discussion/A9/target"
-        payload={'csrfmiddlewaretoken': csrf_token }
+        payload = {'csrfmiddlewaretoken': csrf_token}
         requests.request("GET", url)
         requests.request("POST", url)
         requests.request("PATCH", url, data=payload)
         requests.request("DELETE", url)
-        f = open('test.log', 'r')
-        lines = f.readlines()
-        f.close()
-        return JsonResponse({"message":"success", "logs": lines},status = 200)
+
+        with open('test.log', 'r') as f:
+            lines = f.readlines()
+
+        return JsonResponse({"message": "success", "logs": lines}, status=200)
     else:
-        return JsonResponse({"message":"method not allowed"},status = 405)
+        return JsonResponse({"message": "method not allowed"}, status=405)
 
 #a7 codechecking api
 @csrf_exempt
@@ -123,16 +131,21 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
 
 @csrf_exempt
+import os
+
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
-        return JsonResponse({"message":"method not allowed"},status = 405)
+        return JsonResponse({"message": "method not allowed"}, status=405)
     try:
         code = request.POST.get('code')
-        dirname = os.path.dirname(__file__)
-        filename = os.path.join(dirname, "playground/A6/utility.py")
-        f = open(filename,"w")
-        f.write(code)
-        f.close()
-    except:
-        return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
+        if code:
+            dirname = os.path.dirname(__file__)
+            filename = os.path.join(dirname, "playground/A6/utility.py")
+            with open(filename, "w") as f:
+                f.write(code)
+        else:
+            return JsonResponse({"message": "missing code"}, status=400)
+    except Exception as e:
+        return JsonResponse({"message": "error occurred", "error": str(e)}, status=400)
+
+    return JsonResponse({"message": "success"}, status=200)

introduction/mitre.py

@@ -152,34 +152,45 @@ def mitre_top25(request):
         return render(request, 'mitre/mitre_top25.html')
 
 @authentication_decorator
+import hashlib
+import os
+import jwt
+from django.shortcuts import render, redirect
+from .models import CSRF_user_tbl
+
 def csrf_lab_login(request):
     if request.method == 'GET':
         return render(request, 'mitre/csrf_lab_login.html')
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+        password = hashlib.scrypt(password.encode(), salt=os.urandom(16), n=2**14, r=8, p=1).hex()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            jwt_secret = os.getenv('JWT_SECRET')
+            cookie = jwt.encode(payload, jwt_secret, algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
-        else :
+        else:
             return redirect('/mitre/9/lab/login')
 
 @authentication_decorator
 @csrf_exempt
+import os
+
+SECRET_KEY = os.getenv('SECRET_KEY')
+
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
             cookie = request.COOKIES['auth_cookiee']
-            payload = jwt.decode(cookie, 'csrf_vulneribility', algorithms=['HS256'])
+            payload = jwt.decode(cookie, SECRET_KEY, algorithms=['HS256'])
             username = payload['username']
             User = CSRF_user_tbl.objects.filter(username=username)
             if not User:
@@ -188,10 +199,14 @@ def csrf_transfer_monei(request):
         except:
             return redirect('/mitre/9/lab/login')
 
+import os
+
+SECRET_KEY = os.getenv('SECRET_KEY', 'default_secret_key')
+
 def csrf_transfer_monei_api(request,recipent,amount):
     if request.method == "GET":
         cookie = request.COOKIES['auth_cookiee']
-        payload = jwt.decode(cookie, 'csrf_vulneribility', algorithms=['HS256'])
+        payload = jwt.decode(cookie, SECRET_KEY, algorithms=['HS256'])
         username = payload['username']
         User = CSRF_user_tbl.objects.filter(username=username)
         if not User:
@@ -212,10 +227,12 @@ def csrf_transfer_monei_api(request,recipent,amount):
 
 # @authentication_decorator
 @csrf_exempt
+import ast
+
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
+        result = ast.literal_eval(expression)
         return JsonResponse({'result': result})
     else:
         return redirect('/mitre/25/lab/')
@@ -229,8 +246,10 @@ def mitre_lab_25(request):
 def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
 
+import subprocess
+
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
 
 

introduction/playground/A9/api.py

@@ -1,10 +1,6 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
-
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
@@ -30,4 +26,4 @@ def log_function_target(request):
         return JsonResponse({"message":"success", "method":"patch"},status = 200)
     if request.method == "UPDATE":
         return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
+    return JsonResponse({"message":"method not allowed"},status = 403)

introduction/playground/A9/archive.py

@@ -4,7 +4,6 @@
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":

introduction/templates/Lab/A9/a9_lab.html

@@ -8,6 +8,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +35,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/BrokenAccess/ba_lab.html

@@ -9,12 +9,10 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
@@ -43,4 +41,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/BrokenAuth/otp.html

@@ -7,15 +7,15 @@
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
         <form method="get" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="[email protected]">
             <button class="btn btn-info" type="submit"> Send OTP</button>
-
         </form>
-
     </div>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -25,13 +25,9 @@ <h5 align="center">Login Through Otp</h5><br>
     {% if otp %}
     <h3 align="center">Your 3 Digit Verification Code:<code>{{otp}}</code></h3>
     {% endif %}
-
     {% if email %}
     <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
     {% endif %}
-
-
-
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "[email protected]" -->
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/CMD/cmd_lab.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -33,4 +34,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/CMD/cmd_lab2.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Evaluate any expression!</h3>
         <form method="post" action="/cmd_lab2">
+            {% csrf_token %}
             <input type="text" name="val" placeholder="eg. 7*7"><br><br>
             <center><button class="btn btn-info" type="submit">GO</button></center>
         </form>
@@ -29,4 +30,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/XSS/xss_lab_3.html

@@ -19,7 +19,7 @@ <h1>Welcome to XSS Challenge</h1>
 <p>{{code}}</p>
 <script>
     // LAB 3 JS CODE
-    {{code}}
+    {{code|escapejs}}
 </script>
 <br>
 <div align="right">

introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_1.html

@@ -9,12 +9,11 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/broken_access_lab_1">
+            {% csrf_token %}
 
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
@@ -34,7 +33,6 @@ <h2><code>{{not_admin}}</code></h2>
     {% if no_creds %}
     <h2>Please Provide Credentials</h2>
     {% endif %}
-
 </div>
 
 <br>
@@ -43,4 +41,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab_2021/A1_BrokenAccessControl/broken_access_lab_2.html

@@ -9,6 +9,7 @@
     <h4 style="text-align:center"> Can you log in as an admin and get the secretkey?</h4>
     <div class="login">
         <form method="post" action="/broken_access_lab_2">
+            {% csrf_token %}
 
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
@@ -50,4 +51,4 @@ <h2>Please Provide Credentials</h2>
 <!--Admins don't use Browsers like Google Chrome or Firefox etc-->
 <!--Admins only use pygoat_admin browser-->
 
-{% endblock %}
+{% endblock %}