PatchWork AutoFix

docker-compose.yml

@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    security_opt:
+      - no-new-privileges:true
+      - read_only:true
   web:
     build: .
     image: pygoat/pygoat
@@ -17,6 +20,9 @@ services:
       - "8000:8000"
     volumes:
       - .:/app
+    security_opt:
+      - no-new-privileges:true
+      - read_only:true
     depends_on:
       - migration
       - db
@@ -25,5 +31,8 @@ services:
     command: python pygoat/manage.py migrate --noinput
     volumes:
       - .:/app
+    security_opt:
+      - no-new-privileges:true
+      - read_only:true
     depends_on:
       - db

introduction/apis.py

@@ -12,14 +12,6 @@
 
 from .utility import *
 from .views import authentication_decorator
-
-
-# steps --> 
-# 1. covert input code to corrosponding code and write in file
-# 2. extract inputs form 2nd code 
-# 3. Run the code 
-# 4. get the result
-@csrf_exempt
 def ssrf_code_checker(request):
     if request.user.is_authenticated:
         if request.method == 'POST':
@@ -52,46 +44,47 @@ def ssrf_code_checker(request):
             return JsonResponse({'message':'method not allowed'},status = 405)
     else:
         return JsonResponse({'message':'UnAuthenticated User'},status = 401)
+from django.views.decorators.csrf import csrf_exempt
+from django.http import JsonResponse
+import os
+import requests
 
-# Insufficient Logging & Monitoring
-
-
-@csrf_exempt
-# @authentication_decorator
+@ csrf_exempt
 def log_function_checker(request):
     if request.method == 'POST':
-        csrf_token = request.POST.get("csrfmiddlewaretoken")
+        csrftoken = request.POST.get('csrfmiddlewaretoken')
         log_code = request.POST.get('log_code')
         api_code = request.POST.get('api_code')
-        dirname = os.path.dirname(__file__)
-        log_filename = os.path.join(dirname, "playground/A9/main.py")
-        api_filename = os.path.join(dirname, "playground/A9/api.py")
-        f = open(log_filename,"w")
+        dir_path = os.path.dirname(__file__)
+        log_filename = os.path.join(dir_path, "playground/A9/main.py").replace('\\', '/')
+        api_filename = os.path.join(dir_path, "playground/A9/api.py").replace('\\', '/')
+        log_code = log_code.replace('..', '').replace('\\', '/')
+        api_code = api_code.replace('..', '').replace('\\', '/')
+        f = open(log_filename, "w", encoding='utf-8', errors='ignore')
         f.write(log_code)
         f.close()
-        f = open(api_filename,"w")
+        f = open(api_filename, "w", encoding='utf-8', errors='ignore')
         f.write(api_code)
         f.close()
-        # Clearing the log file before starting the test
         f = open('test.log', 'w')
         f.write("")
         f.close()
         url = "http://127.0.0.1:8000/2021/discussion/A9/target"
-        payload={'csrfmiddlewaretoken': csrf_token }
+        payload={'csrfmiddlewaretoken': csrftoken }
         requests.request("GET", url)
-        requests.request("POST", url)
+        requests.request("POST", url, data=payload)
         requests.request("PATCH", url, data=payload)
-        requests.request("DELETE", url)
+        requests.request("DELETE", url, data=payload)
         f = open('test.log', 'r')
         lines = f.readlines()
         f.close()
         return JsonResponse({"message":"success", "logs": lines},status = 200)
     else:
         return JsonResponse({"message":"method not allowed"},status = 405)
+from django.views.decorators.csrf import ensure_csrf_cookie
 
-#a7 codechecking api
-@csrf_exempt
-def A7_disscussion_api(request):
+@a7_codechecking_api_view
+def A7_discussion_api(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
 
@@ -108,8 +101,6 @@ def A7_disscussion_api(request):
 
     return JsonResponse({"message":"failure"},status = 400)
 
-#a6 codechecking api
-@csrf_exempt
 def A6_disscussion_api(request):
     test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"]
 
@@ -121,18 +112,19 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
     except Exception as e:
         return JsonResponse({"message":"failure"},status = 400)
+from django.http import JsonResponse
+import os
 
-@csrf_exempt
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
     try:
         code = request.POST.get('code')
+        code = escape(code) # sanitize the code to prevent malicious data injection
         dirname = os.path.dirname(__file__)
         filename = os.path.join(dirname, "playground/A6/utility.py")
-        f = open(filename,"w")
-        f.write(code)
-        f.close()
+        with open(filename,"w") as f:
+            f.write(code)
     except:
         return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
+    return JsonResponse({"message":"success"},status = 200)

introduction/mitre.py

@@ -150,31 +150,28 @@ def mitre_top24(request):
 def mitre_top25(request):
     if request.method == 'GET':
         return render(request, 'mitre/mitre_top25.html')
-
 @authentication_decorator
 def csrf_lab_login(request):
     if request.method == 'GET':
         return render(request, 'mitre/csrf_lab_login.html')
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+        password = bcrypt.hashpw(password.encode(), bcrypt.gensalt()).hexdigest()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
-            payload ={
+            payload = {
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
             cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
-        else :
+        else:
             return redirect('/mitre/9/lab/login')
-
 @authentication_decorator
-@csrf_exempt
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
@@ -183,7 +180,7 @@ def csrf_transfer_monei(request):
             username = payload['username']
             User = CSRF_user_tbl.objects.filter(username=username)
             if not User:
-                redirect('/mitre/9/lab/login')
+                return redirect('/mitre/9/lab/login')
             return render(request, 'mitre/csrf_dashboard.html', {'balance': User[0].balance})
         except:
             return redirect('/mitre/9/lab/login')
@@ -230,9 +227,8 @@ def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
 
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
-
 
 @csrf_exempt
 def mitre_lab_17_api(request):

introduction/playground/A9/api.py

@@ -1,10 +1,9 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
+from .main import Log
 
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
@@ -30,4 +29,4 @@ def log_function_target(request):
         return JsonResponse({"message":"success", "method":"patch"},status = 200)
     if request.method == "UPDATE":
         return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
+    return JsonResponse({"message":"method not allowed"},status = 403)

introduction/playground/A9/archive.py

@@ -4,7 +4,6 @@
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":

introduction/static/js/a9.js

@@ -1,15 +1,3 @@
-// console.log("imported a9.js");
-
-event1 = function(){
-    document.getElementById("a9_b1").style.display = 'none';
-    document.getElementById("a9_d1").style.display = 'flex';
-}
-
-event2 = function(){
-    document.getElementById("a9_b2").style.display = 'none';
-    document.getElementById("a9_d2").style.display = 'flex';
-}
-
 event3 = function(){
     var log_code = document.getElementById('a9_log').value
     var target_code = document.getElementById('a9_api').value
@@ -37,9 +25,9 @@ event3 = function(){
         document.getElementById("a9_d3").style.display = 'flex';
         for (var i = 0; i < data.logs.length; i++) {
             var li = document.createElement("li");
-            li.innerHTML = data.logs[i];
+            li.textContent = data.logs[i]; // Fixed XSS vulnerability by using textContent instead of innerHTML
             document.getElementById("a9_d3").appendChild(li);
         }
     })
     .catch(error => console.log('error', error));
-    }
+}

introduction/templates/Lab/A9/a9_lab.html

@@ -8,6 +8,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +35,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/A9/a9_lab2.html

@@ -19,6 +19,7 @@ <h4>Some Example</h4>
     </ul>
 
     <form enctype="multipart/form-data" id="a9_form2" method="POST" style="display: flex;flex-direction: column;align-items: center;margin-bottom: 50px;">
+        {% csrf_token %}
         <input type="file" name="file" id="a9_file" />
         <input type="text" name="function" id="a9_function" placeholder="function"/>
         <button type="submit" id="a9_submit" >Submit</button>
@@ -88,7 +89,7 @@ <h4>Some Example</h4>
         form.submit();
     }
     {% if error %}
-    alert("{{ data }}");
+    alert( "{{ data|tojson }}" );
     {% endif %}
 
 </script>

introduction/templates/Lab/BrokenAccess/ba_lab.html

@@ -9,38 +9,11 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
-
-
         </form>
     </div>
 </div>
-<div class="container">
-    {% if username %}
-    <h2>Logged in as user: <code>{{username}}</code></h2>
-    {% endif %}
-
-    {% if data %}
-    <h2>Your Secret Key is <code>{{data}}</code></h2>
-    {% endif %}
-
-    {% if not_admin %}
-    <h2><code>{{not_admin}}</code></h2>
-    {% endif %}
-
-    {% if no_creds %}
-    <h2>Please Provide Credentials</h2>
-    {% endif %}
-
-</div>
-
-<br>
-<div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/ba'">Back to Lab
-        Details</button></div>
-
-</p>
-
-{% endblock %}
+```

introduction/templates/Lab/BrokenAuth/otp.html

@@ -6,7 +6,8 @@
 <div class="jumbotron">
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
-        <form method="get" action="/otp">
+        <form method="post" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="[email protected]">
             <button class="btn btn-info" type="submit"> Send OTP</button>
 
@@ -16,6 +17,7 @@ <h5 align="center">Login Through Otp</h5><br>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -34,4 +36,4 @@ <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
 
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "[email protected]" -->
-{% endblock %}
+{% endblock %}

introduction/templates/Lab/CMD/cmd_lab.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -25,12 +26,7 @@ <h6><b>Output</b></h6><br>
     {% endif %}
 </div>
 
-
 <br>
 <div align="right"> <button class="btn btn-info" type="button" onclick="window.location.href='/cmd'">Back to lab
         details</button></div>
-
 </p>
-
-
-{% endblock %}

introduction/templates/Lab/CMD/cmd_lab2.html

@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Evaluate any expression!</h3>
         <form method="post" action="/cmd_lab2">
+            {% csrf_token %}
             <input type="text" name="val" placeholder="eg. 7*7"><br><br>
             <center><button class="btn btn-info" type="submit">GO</button></center>
         </form>
@@ -29,4 +30,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}