Hidden challenges now return 404 and can't be solved (#432)

* Hidden challenges now return 404 and can't be solved
2025-12-17 22:14:25 +01:00 · 2017-10-28 13:31:34 -04:00
parent b4f29e1450
commit 6f4a520241
3 changed files with 29 additions and 1 deletions
--- a/tests/user/test_challenges.py
+++ b/tests/user/test_challenges.py
@@ -349,3 +349,27 @@ def test_that_view_challenges_unregistered_works():
        data = json.loads(data)
        assert data['status'] == -1
    destroy_ctfd(app)
+
+
+def test_hidden_challenge_is_unsolveable():
+    """Test that hidden challenges return 404 and do not insert a solve or wrong key"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        chal = gen_challenge(app.db, hidden=True)
+        flag = gen_flag(app.db, chal=chal.id, flag='flag')
+        with client.session_transaction() as sess:
+            data = {
+                "key": 'flag',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal.id), data=data)
+        assert r.status_code == 404
+
+        solves = Solves.query.all()
+        assert len(solves) == 0
+
+        wrong_keys = WrongKeys.query.all()
+        assert len(wrong_keys) == 0
+    destroy_ctfd(app)