PatchWork AutoFix

docker-compose.yml

@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
   web:
     build: .
     image: pygoat/pygoat
@@ -20,10 +23,16 @@ services:
     depends_on:
       - migration
       - db
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
   migration:
     image: pygoat/pygoat
     command: python pygoat/manage.py migrate --noinput
     volumes:
       - .:/app
     depends_on:
       - db
+    security_opt:
+      - no-new-privileges:true
+    read_only: true

introduction/apis.py

@@ -52,12 +52,6 @@ def ssrf_code_checker(request):
             return JsonResponse({'message':'method not allowed'},status = 405)
     else:
         return JsonResponse({'message':'UnAuthenticated User'},status = 401)
-
-# Insufficient Logging & Monitoring
-
-
-@csrf_exempt
-# @authentication_decorator
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
@@ -66,31 +60,28 @@ def log_function_checker(request):
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
-        f = open(log_filename,"w")
-        f.write(log_code)
-        f.close()
-        f = open(api_filename,"w")
-        f.write(api_code)
-        f.close()
+        with open(log_filename,"w") as f:
+            f.write(escape(log_code))
+        with open(api_filename,"w") as f:
+            f.write(escape(api_code))
         # Clearing the log file before starting the test
-        f = open('test.log', 'w')
-        f.write("")
-        f.close()
+        with open('test.log', 'w') as f:
+            f.write("")
         url = "http://127.0.0.1:8000/2021/discussion/A9/target"
         payload={'csrfmiddlewaretoken': csrf_token }
         requests.request("GET", url)
         requests.request("POST", url)
         requests.request("PATCH", url, data=payload)
         requests.request("DELETE", url)
-        f = open('test.log', 'r')
-        lines = f.readlines()
-        f.close()
+        with open('test.log', 'r') as f:
+            lines = f.readlines()
         return JsonResponse({"message":"success", "logs": lines},status = 200)
     else:
         return JsonResponse({"message":"method not allowed"},status = 405)
 
+def escape(s):
+    return s.replace("\\", "\\\\").replace('/', '\\/')
 #a7 codechecking api
-@csrf_exempt
 def A7_disscussion_api(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
@@ -107,9 +98,7 @@ def A7_disscussion_api(request):
         return JsonResponse({"message":"success"},status = 200)
 
     return JsonResponse({"message":"failure"},status = 400)
-
 #a6 codechecking api
-@csrf_exempt
 def A6_disscussion_api(request):
     test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"]
 
@@ -121,18 +110,21 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
     except Exception as e:
         return JsonResponse({"message":"failure"},status = 400)
+from django.views.decorators.csrf import csrf_exempt, csrf_protect
+from django.utils.html import escape
 
-@csrf_exempt
+@csrf_protect
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
     try:
         code = request.POST.get('code')
+        if code is None:
+            return JsonResponse({"message":"missing code"},status = 400)
         dirname = os.path.dirname(__file__)
         filename = os.path.join(dirname, "playground/A6/utility.py")
-        f = open(filename,"w")
-        f.write(code)
-        f.close()
+        with open(filename,"w") as f:
+            f.write(escape(code))
     except:
-        return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
+        return JsonResponse({"message":"error"},status = 500)
+    return JsonResponse({"message":"success"},status = 200)

introduction/mitre.py

@@ -150,6 +150,14 @@ def mitre_top24(request):
 def mitre_top25(request):
     if request.method == 'GET':
         return render(request, 'mitre/mitre_top25.html')
+import os
+import hashlib
+import hmac
+from django.http import HttpResponse, HttpResponseRedirect
+import bcrypt
+from datetime import datetime, timedelta
+from jwt import encode, decode
+from jwt.exceptions import InvalidToken
 
 @authentication_decorator
 def csrf_lab_login(request):
@@ -158,23 +166,25 @@ def csrf_lab_login(request):
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
-        User = CSRF_user_tbl.objects.filter(username=username, password=password)
+        hashed_password = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
+        User = CSRF_user_tbl.objects.filter(username=username, password=hashed_password)
         if User:
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
-            response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
-            return response
+            jwt_secret = os.environ.get('JWT_SECRET')
+            if jwt_secret:
+                cookie = encode(payload, jwt_secret, algorithm='HS256')
+                response = redirect("/mitre/9/lab/transaction")
+                response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
+                return response
+            else:
+                return HttpResponse("JWT secret is not set")
         else :
             return redirect('/mitre/9/lab/login')
-
 @authentication_decorator
-@csrf_exempt
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
@@ -208,14 +218,28 @@ def csrf_transfer_monei_api(request,recipent,amount):
         return redirect('/mitre/9/lab/transaction') 
     else:
         return redirect ('/mitre/9/lab/transaction')
+def safe_eval(expression):
+    allowed_operators = ['+', '-', '*', '/']
+    for operator in allowed_operators:
+        if operator in expression:
+            num1, num2 = expression.split(operator)
+            if operator == '+':
+                return float(num1) + float(num2)
+            elif operator == '-':
+                return float(num1) - float(num2)
+            elif operator == '*':
+                return float(num1) * float(num2)
+            elif operator == '/':
+                if num2 != '0':
+                    return float(num1) / float(num2)
+                else:
+                    return 'Error: Division by zero'
+    return 'Error: Invalid operation'
 
-
-# @authentication_decorator
-@csrf_exempt
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
+        result = safe_eval(expression)
         return JsonResponse({'result': result})
     else:
         return redirect('/mitre/25/lab/')
@@ -228,13 +252,9 @@ def mitre_lab_25(request):
 @authentication_decorator
 def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
-
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    process = subprocess.Popen(command.split(), shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
-
-
-@csrf_exempt
 def mitre_lab_17_api(request):
     if request.method == "POST":
         ip = request.POST.get('ip')
@@ -244,4 +264,4 @@ def mitre_lab_17_api(request):
         err = err.decode()
         pattern = "STATE SERVICE.*\\n\\n"
         ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n')
-        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
+        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})

introduction/playground/A9/api.py

@@ -1,16 +1,19 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+from django.middleware.csrf import CsrfViewMiddleware
 
 from .main import Log
 
-
-@csrf_exempt
+@csrf_protect
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
         L.info("GET request")
         return JsonResponse({"message":"normal get request", "method":"get"},status = 200)
     if request.method == "POST":
+        csrf_token =(CsrfViewMiddleware().get_token(request))
+        if csrf_token != request.POST.get('csrfmiddlewaretoken'):
+            return JsonResponse({"message":"CSRF token is invalid"},status = 403)
         username = request.POST['username']
         password = request.POST['password']
         L.info(f"POST request with username {username} and password {password}")
@@ -30,4 +33,4 @@ def log_function_target(request):
         return JsonResponse({"message":"success", "method":"patch"},status = 200)
     if request.method == "UPDATE":
         return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
+    return JsonResponse({"message":"method not allowed"},status = 403)

introduction/playground/A9/archive.py

@@ -1,11 +1,13 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+from django.middleware.csrf import get_token
 
 from .main import Log
 
-
-@csrf_exempt
+@csrf_protect
 def log_function_target(request):
+    if 'csrftoken' not in request cookies:
+        get_token(request)
     L = Log(request)
     if request.method == "GET":
         L.info("GET request")

introduction/static/js/a9.js

@@ -37,9 +37,10 @@ event3 = function(){
         document.getElementById("a9_d3").style.display = 'flex';
         for (var i = 0; i < data.logs.length; i++) {
             var li = document.createElement("li");
-            li.innerHTML = data.logs[i];
+            var textNode = document.createTextNode(data.logs[i]);
+            li.appendChild(textNode);
             document.getElementById("a9_d3").appendChild(li);
         }
     })
     .catch(error => console.log('error', error));
-    }
+}

introduction/templates/Lab/A9/a9_lab.html

@@ -1,5 +1,6 @@
 {% extends "introduction/base.html" %}
 {% load static %}
+{% csrf_token %}
 {% block content %}
 {% block title %}
 <title>A9</title>
@@ -8,6 +9,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +36,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/A9/a9_lab2.html

@@ -19,6 +19,7 @@ <h4>Some Example</h4>
     </ul>
 
     <form enctype="multipart/form-data" id="a9_form2" method="POST" style="display: flex;flex-direction: column;align-items: center;margin-bottom: 50px;">
+        {% csrf_token %}
         <input type="file" name="file" id="a9_file" />
         <input type="text" name="function" id="a9_function" placeholder="function"/>
         <button type="submit" id="a9_submit" >Submit</button>
@@ -88,7 +89,8 @@ <h4>Some Example</h4>
         form.submit();
     }
     {% if error %}
-    alert("{{ data }}");
+    var data = JSON.parse("{{ data|json_script }}");
+    alert(data);
     {% endif %}
 
 </script>

introduction/templates/Lab/BrokenAccess/ba_lab.html

@@ -1,5 +1,6 @@
 {% extends "introduction/base.html" %}
 {% load static %}
+{% csrf_token %}
 {% block content %}
 {% block title %}
 <title>Broken Access Control.</title>
@@ -9,12 +10,10 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
@@ -43,4 +42,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/BrokenAuth/otp.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
         <form method="get" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="[email protected]">
             <button class="btn btn-info" type="submit"> Send OTP</button>
 
@@ -16,6 +17,7 @@ <h5 align="center">Login Through Otp</h5><br>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -34,4 +36,4 @@ <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
 
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "[email protected]" -->
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/CMD/cmd_lab.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -33,4 +34,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}