patched-codes · CTY-git · May 7, 2024 · May 7, 2024 · May 7, 2024 · May 7, 2024
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,6 +9,9 @@ services:
       - POSTGRES_DB=postgres
       - POSTGRES_USER=postgres
       - POSTGRES_PASSWORD=postgres
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
   web:
     build: .
     image: pygoat/pygoat
@@ -20,10 +23,16 @@ services:
     depends_on:
       - migration
       - db
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
   migration:
     image: pygoat/pygoat
     command: python pygoat/manage.py migrate --noinput
     volumes:
       - .:/app
     depends_on:
       - db
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
diff --git a/introduction/apis.py b/introduction/apis.py
@@ -12,14 +12,6 @@
 
 from .utility import *
 from .views import authentication_decorator
-
-
-# steps --> 
-# 1. covert input code to corrosponding code and write in file
-# 2. extract inputs form 2nd code 
-# 3. Run the code 
-# 4. get the result
-@csrf_exempt
 def ssrf_code_checker(request):
     if request.user.is_authenticated:
         if request.method == 'POST':
@@ -52,17 +44,15 @@ def ssrf_code_checker(request):
             return JsonResponse({'message':'method not allowed'},status = 405)
     else:
         return JsonResponse({'message':'UnAuthenticated User'},status = 401)
+from django.utils.html import escape
 
-# Insufficient Logging & Monitoring
-
-
-@csrf_exempt
+# @csrf_exempt
 # @authentication_decorator
 def log_function_checker(request):
     if request.method == 'POST':
         csrf_token = request.POST.get("csrfmiddlewaretoken")
-        log_code = request.POST.get('log_code')
-        api_code = request.POST.get('api_code')
+        log_code = escape(request.POST.get('log_code'))
+        api_code = escape(request.POST.get('api_code'))
         dirname = os.path.dirname(__file__)
         log_filename = os.path.join(dirname, "playground/A9/main.py")
         api_filename = os.path.join(dirname, "playground/A9/api.py")
@@ -88,9 +78,10 @@ def log_function_checker(request):
         return JsonResponse({"message":"success", "logs": lines},status = 200)
     else:
         return JsonResponse({"message":"method not allowed"},status = 405)
-
 #a7 codechecking api
-@csrf_exempt
+from django.views.decorators.csrf import csrf_protect
+
+@csrf_protect
 def A7_disscussion_api(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
@@ -107,9 +98,7 @@ def A7_disscussion_api(request):
         return JsonResponse({"message":"success"},status = 200)
 
     return JsonResponse({"message":"failure"},status = 400)
-
 #a6 codechecking api
-@csrf_exempt
 def A6_disscussion_api(request):
     test_bench = ["Pillow==8.0.0","PyJWT==2.4.0","requests==2.28.0","Django==4.0.4"]
 
@@ -121,18 +110,21 @@ def A6_disscussion_api(request):
         return JsonResponse({"message":"failure"},status = 400)
     except Exception as e:
         return JsonResponse({"message":"failure"},status = 400)
+from django.views.decorators.csrf import csrf_protect
+import html
 
-@csrf_exempt
+@csrf_protect
 def A6_disscussion_api_2(request):
     if request.method != 'POST':
         return JsonResponse({"message":"method not allowed"},status = 405)
     try:
         code = request.POST.get('code')
+        code = html.escape(code)
         dirname = os.path.dirname(__file__)
         filename = os.path.join(dirname, "playground/A6/utility.py")
         f = open(filename,"w")
         f.write(code)
         f.close()
     except:
         return JsonResponse({"message":"missing code"},status = 400)
-    return JsonResponse({"message":"success"},status = 200)
+    return JsonResponse({"message":"success"},status = 200)
diff --git a/introduction/mitre.py b/introduction/mitre.py
@@ -150,6 +150,8 @@ def mitre_top24(request):
 def mitre_top25(request):
     if request.method == 'GET':
         return render(request, 'mitre/mitre_top25.html')
+import os
+from django.http import JsonResponse
 
 @authentication_decorator
 def csrf_lab_login(request):
@@ -158,23 +160,24 @@ def csrf_lab_login(request):
     elif request.method == 'POST':
         password = request.POST.get('password')
         username = request.POST.get('username')
-        password = md5(password.encode()).hexdigest()
+
+        password = hashlib.scrypt(password.encode(), salt=os.urandom(16), n=16384, r=8, p=1).hex()
         User = CSRF_user_tbl.objects.filter(username=username, password=password)
         if User:
+            secret = os.environ.get('JWT_SECRET_KEY', 'default_key')
             payload ={
                 'username': username,
                 'exp': datetime.datetime.utcnow() + datetime.timedelta(seconds=300),
                 'iat': datetime.datetime.utcnow()
             }
-            cookie = jwt.encode(payload, 'csrf_vulneribility', algorithm='HS256')
+            cookie = jwt.encode(payload, secret, algorithm='HS256')
             response = redirect("/mitre/9/lab/transaction")
-            response.set_cookie('auth_cookiee', cookie)
+            response.set_cookie('auth_cookiee', cookie, secure=True, httponly=True, samesite='Lax')
             return response
         else :
             return redirect('/mitre/9/lab/login')
 
 @authentication_decorator
-@csrf_exempt
 def csrf_transfer_monei(request):
     if request.method == 'GET':
         try:
@@ -208,14 +211,16 @@ def csrf_transfer_monei_api(request,recipent,amount):
         return redirect('/mitre/9/lab/transaction') 
     else:
         return redirect ('/mitre/9/lab/transaction')
+from ast import literal_eval
 
-
-# @authentication_decorator
-@csrf_exempt
+@authentication_decorator
 def mitre_lab_25_api(request):
     if request.method == "POST":
         expression = request.POST.get('expression')
-        result = eval(expression)
+        try:
+            result = literal_eval(expression)
+        except (SyntaxError, ValueError):
+            return JsonResponse({'error': 'Invalid expression'})
         return JsonResponse({'result': result})
     else:
         return redirect('/mitre/25/lab/')
@@ -228,13 +233,10 @@ def mitre_lab_25(request):
 @authentication_decorator
 def mitre_lab_17(request):
     return render(request, 'mitre/mitre_lab_17.html')
-
 def command_out(command):
-    process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    command = command.split()
+    process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     return process.communicate()
-
-
-@csrf_exempt
 def mitre_lab_17_api(request):
     if request.method == "POST":
         ip = request.POST.get('ip')
@@ -244,4 +246,4 @@ def mitre_lab_17_api(request):
         err = err.decode()
         pattern = "STATE SERVICE.*\\n\\n"
         ports = re.findall(pattern, res,re.DOTALL)[0][14:-2].split('\n')
-        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
+        return JsonResponse({'raw_res': str(res), 'raw_err': str(err), 'ports': ports})
diff --git a/introduction/playground/A9/api.py b/introduction/playground/A9/api.py
@@ -1,33 +1,29 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
-
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
         L.info("GET request")
-        return JsonResponse({"message":"normal get request", "method":"get"},status = 200)
+        return JsonResponse({"message":"normal get request", "method":"get"}, status=200)
     if request.method == "POST":
         username = request.POST['username']
         password = request.POST['password']
         L.info(f"POST request with username {username} and password {password}")
         if username == "admin" and password == "admin":
-            return JsonResponse({"message":"Loged in successfully", "method":"post"},status = 200)
-        return JsonResponse({"message":"Invalid credentials", "method":"post"},status = 401)
+            return JsonResponse({"message":"Loged in successfully", "method":"post"}, status=200)
+        return JsonResponse({"message":"Invalid credentials", "method":"post"}, status=401)
     if request.method == "PUT":
         L.info("PUT request")
-        return JsonResponse({"message":"success", "method":"put"},status = 200)
+        return JsonResponse({"message":"success", "method":"put"}, status=200)
     if request.method == "DELETE":
         if request.user.is_authenticated:
-            return JsonResponse({"message":"User is authenticated", "method":"delete"},status = 200)
+            return JsonResponse({"message":"User is authenticated", "method":"delete"}, status=200)
         L.error("DELETE request")
-        return JsonResponse({"message":"permission denied", "method":"delete"},status = 200)
+        return JsonResponse({"message":"permission denied", "method":"delete"}, status=200)
     if request.method == "PATCH":
         L.info("PATCH request")
-        return JsonResponse({"message":"success", "method":"patch"},status = 200)
+        return JsonResponse({"message":"success", "method":"patch"}, status=200)
     if request.method == "UPDATE":
-        return JsonResponse({"message":"success", "method":"update"},status = 200)
-    return JsonResponse({"message":"method not allowed"},status = 403)
+        return JsonResponse({"message":"success", "method":"update"}, status=200)
+    return JsonResponse({"message":"method not allowed"}, status=403)
diff --git a/introduction/playground/A9/archive.py b/introduction/playground/A9/archive.py
@@ -1,10 +1,7 @@
 from django.http import JsonResponse
-from django.views.decorators.csrf import csrf_exempt
-
 from .main import Log
 
 
-@csrf_exempt
 def log_function_target(request):
     L = Log(request)
     if request.method == "GET":
@@ -33,12 +30,6 @@ def log_function_target(request):
     return JsonResponse({"message":"method not allowed"},status = 403)
 
 
-# ======================================
-
-import datetime
-
-
-# f = open('test.log', 'a') --> use this file to log
 class Log:
     def __init__(self,request):
         self.request = request

diff --git a/introduction/static/js/a9.js b/introduction/static/js/a9.js
@@ -37,9 +37,9 @@ event3 = function(){
         document.getElementById("a9_d3").style.display = 'flex';
         for (var i = 0; i < data.logs.length; i++) {
             var li = document.createElement("li");
-            li.innerHTML = data.logs[i];
+            li.textContent = data.logs[i];
             document.getElementById("a9_d3").appendChild(li);
         }
     })
     .catch(error => console.log('error', error));
-    }
+    }
diff --git a/introduction/templates/Lab/A9/a9_lab.html b/introduction/templates/Lab/A9/a9_lab.html
@@ -8,6 +8,7 @@
 <div class="jumbotron">
     <h4 style="text-align:center"> Yaml To Json Converter</h4>
     <form enctype="multipart/form-data" method="post" action="/a9_lab">
+        {% csrf_token %}
         <input type="file" name="file"><br>
         <br>
         <button class="btn btn-info" type="submit">Upload</button>
@@ -34,4 +35,4 @@ <h5>Here is your output:</h5><br>
 
 </p>
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/A9/a9_lab2.html b/introduction/templates/Lab/A9/a9_lab2.html
@@ -19,6 +19,7 @@ <h4>Some Example</h4>
     </ul>
 
     <form enctype="multipart/form-data" id="a9_form2" method="POST" style="display: flex;flex-direction: column;align-items: center;margin-bottom: 50px;">
+        {% csrf_token %}
         <input type="file" name="file" id="a9_file" />
         <input type="text" name="function" id="a9_function" placeholder="function"/>
         <button type="submit" id="a9_submit" >Submit</button>
@@ -88,7 +89,11 @@ <h4>Some Example</h4>
         form.submit();
     }
     {% if error %}
-    alert("{{ data }}");
+    <span id="data">{{ data }}</span>
+    <script>
+        var data = document.getElementById('data').textContent;
+        alert(data);
+    </script>
     {% endif %}
 
 </script>

diff --git a/introduction/templates/Lab/BrokenAccess/ba_lab.html b/introduction/templates/Lab/BrokenAccess/ba_lab.html
@@ -9,7 +9,7 @@
     <h4 style="text-align:center"> Admins Have the Secretkey</h4>
     <div class="login">
         <form method="post" action="/ba_lab">
-
+            {% csrf_token %}
             <input id="input" type="text" name="name" placeholder="User Name"><br>
             <input id="input" type="password" name="pass" placeholder="Password"><br>
             <button style="margin-top:20px" class="btn btn-info" type="submit"> Log in</button>
@@ -43,4 +43,4 @@ <h2>Please Provide Credentials</h2>
 
 </p>
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/BrokenAuth/otp.html b/introduction/templates/Lab/BrokenAuth/otp.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h5 align="center">Login Through Otp</h5><br>
         <form method="get" action="/otp">
+            {% csrf_token %}
             <input name="email" type="email" placeholder="yourid@mail.com">
             <button class="btn btn-info" type="submit"> Send OTP</button>
 
@@ -16,6 +17,7 @@ <h5 align="center">Login Through Otp</h5><br>
 </div>
 <div class="container">
     <form method="post" action="/otp">
+        {% csrf_token %}
         <label for='enter'>Enter Your OTP:</label>
         <input id="enter" type="number" maxlength="3" name="otp"><br><br>
         <button class="btn btn-info" type="submit">Log in</button>
@@ -30,8 +32,6 @@ <h3 align="center">Your 3 Digit Verification Code:<code>{{otp}}</code></h3>
     <h3 align="center">Login Successful as user : <code>{{email}}</code></h3>
     {% endif %}
 
-
-
 </div>
 <!-- In case any issue with the code please mail the administrator through this mail id : "admin@pygoat.com" -->
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/CMD/cmd_lab.html b/introduction/templates/Lab/CMD/cmd_lab.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Name Server Lookup </h3>
         <form method="post" action="/cmd_lab">
+            {% csrf_token %}
             <input type="text" name="domain" placeholder="Enter Domain Here"><br><br>
             <input type="radio" id="linux" name="os" value="linux">
             <label for="linux">Linux</label>
@@ -33,4 +34,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/CMD/cmd_lab2.html b/introduction/templates/Lab/CMD/cmd_lab2.html
@@ -7,6 +7,7 @@
     <div class="container">
         <h3 align="center">Evaluate any expression!</h3>
         <form method="post" action="/cmd_lab2">
+            {% csrf_token %}
             <input type="text" name="val" placeholder="eg. 7*7"><br><br>
             <center><button class="btn btn-info" type="submit">GO</button></center>
         </form>
@@ -29,4 +30,4 @@ <h6><b>Output</b></h6><br>
 </p>
 
 
-{% endblock %}
+{% endblock %}
diff --git a/introduction/templates/Lab/XSS/xss_lab_3.html b/introduction/templates/Lab/XSS/xss_lab_3.html
@@ -17,9 +17,11 @@ <h1>Welcome to XSS Challenge</h1>
 </form>
 <br>
 <p>{{code}}</p>
+{% json_script "safe_code" code %}
 <script>
     // LAB 3 JS CODE
-    {{code}}
+    var safeCode = document.getElementById('safe_code').textContent;
+    eval(safeCode);
 </script>
 <br>
 <div align="right">