aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-18 14:34:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixing issue downloading files when view_after_ctf is enabled (#1011)

Browse Source
This commit is contained in:
Kevin Chung
2019-06-03 21:08:30 -04:00
committed by GitHub
parent 8a35557f08
commit 458ce2e518
2 changed files with 131 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CTFd/views.py
View File

@@ -24,7 +24,7 @@ from CTFd.utils.config.visibility import challenges_visible
from CTFd.utils.security.auth import login_user from CTFd.utils.security.auth import login_user
from CTFd.utils.security.csrf import generate_nonce from CTFd.utils.security.csrf import generate_nonce
from CTFd.utils import user as current_user from CTFd.utils import user as current_user
from CTFd.utils.dates import ctftime from CTFd.utils.dates import ctftime, ctf_ended, view_after_ctf
from CTFd.utils.decorators import authed_only from CTFd.utils.decorators import authed_only
from CTFd.utils.security.signing import ( from CTFd.utils.security.signing import (
unserialize, unserialize,
@@ -202,7 +202,10 @@ def files(path):
if challenges_visible(): if challenges_visible():
if current_user.is_admin() is False: if current_user.is_admin() is False:
if not ctftime(): if not ctftime():
abort(403) if ctf_ended() and view_after_ctf():
pass
else:
abort(403)
else: else:
if not ctftime(): if not ctftime():
abort(403) abort(403)

135
tests/users/test_views.py → tests/test_views.py
View File

@@ -112,7 +112,8 @@ def test_themes_handler():
assert r.status_code == 404 assert r.status_code == 404
r = client.get("/themes/core/static/%2e%2e/%2e%2e/%2e%2e/utils.py") r = client.get("/themes/core/static/%2e%2e/%2e%2e/%2e%2e/utils.py")
assert r.status_code == 404 assert r.status_code == 404
r = client.get("/themes/core/static/%2e%2e%2f%2e%2e%2f%2e%2e%2futils.py") r = client.get(
"/themes/core/static/%2e%2e%2f%2e%2e%2f%2e%2e%2futils.py")
assert r.status_code == 404 assert r.status_code == 404
r = client.get("/themes/core/static/..%2f..%2f..%2futils.py") r = client.get("/themes/core/static/..%2f..%2f..%2futils.py")
assert r.status_code == 404 assert r.status_code == 404
@@ -191,10 +192,9 @@ def test_user_can_access_files():
assert r.status_code == 200 assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load" assert r.get_data(as_text=True) == "testing file load"
with freeze_time("2017-10-7"): with freeze_time("2017-10-5"):
set_config( # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
"end", "1507262400" set_config("start", "1507262400")
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
for v in ("public", "private"): for v in ("public", "private"):
set_config("challenge_visibility", v) set_config("challenge_visibility", v)
@@ -215,6 +215,30 @@ def test_user_can_access_files():
r = admin.get(url) r = admin.get(url)
assert r.status_code == 200 assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load" assert r.get_data(as_text=True) == "testing file load"
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users shouldn't be able to see files if the CTF has ended
client = app.test_client()
r = client.get(url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Authed users shouldn't be able to see files if the CTF has ended
client = login_as_user(app)
r = client.get(url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Admins should be able to see files if the CTF has ended
admin = login_as_user(app, "admin")
r = admin.get(url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally: finally:
rmdir(directory) rmdir(directory)
destroy_ctfd(app) destroy_ctfd(app)
@@ -274,15 +298,108 @@ def test_user_can_access_files_with_auth_token():
assert r.get_data(as_text=True) != "testing file load" assert r.get_data(as_text=True) != "testing file load"
set_config("challenge_visibility", "private") set_config("challenge_visibility", "private")
with freeze_time("2017-10-7"): with freeze_time("2017-10-5"):
set_config( # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
"end", "1507262400" set_config("start", "1507262400")
) # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
# Unauthed users shouldn't be able to see files if the CTF hasn't started # Unauthed users shouldn't be able to see files if the CTF hasn't started
r = client.get(file_url) r = client.get(file_url)
assert r.status_code == 403 assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load" assert r.get_data(as_text=True) != "testing file load"
with freeze_time("2017-10-5"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("start", "1507262400")
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users shouldn't be able to see files if the CTF hasn't started
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Authed users shouldn't be able to see files if the CTF hasn't started
client = login_as_user(app)
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Admins should be able to see files if the CTF hasn't started
admin = login_as_user(app, "admin")
r = admin.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
for v in ("public", "private"):
set_config("challenge_visibility", v)
# Unauthed users shouldn't be able to see files if the CTF has ended
client = app.test_client()
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Authed users shouldn't be able to see files if the CTF has ended
client = login_as_user(app)
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
# Admins should be able to see files if the CTF has ended
admin = login_as_user(app, "admin")
r = admin.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally: finally:
rmdir(directory) rmdir(directory)
destroy_ctfd(app) destroy_ctfd(app)
def test_user_can_access_files_if_view_after_ctf():
app = create_ctfd()
with app.app_context():
from CTFd.utils.uploads import rmdir
chal = gen_challenge(app.db)
chal_id = chal.id
path = app.config.get("UPLOAD_FOLDER")
md5hash = hexencode(os.urandom(16)).decode("utf-8")
location = os.path.join(path, md5hash, "test.txt")
directory = os.path.dirname(location)
model_path = os.path.join(md5hash, "test.txt")
try:
os.makedirs(directory)
with open(location, "wb") as obj:
obj.write("testing file load".encode())
gen_file(app.db, location=model_path, challenge_id=chal_id)
register_user(app)
with login_as_user(app) as client:
req = client.get("/api/v1/challenges/1")
data = req.get_json()
file_url = data["data"]["files"][0]
# After ctf end
with freeze_time("2017-10-7"):
# Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
set_config("end", "1507262400")
r = client.get(file_url)
assert r.status_code == 403
assert r.get_data(as_text=True) != "testing file load"
set_config("view_after_ctf", True)
r = client.get(file_url)
assert r.status_code == 200
assert r.get_data(as_text=True) == "testing file load"
finally:
rmdir(directory)
destroy_ctfd(app)