Admins can bypass ctftime (#374)

* Admins can see/solve challenges regardless of ctftime * Adding tests for ctftime based functionality
2025-12-17 22:14:25 +01:00 · 2017-09-04 05:03:06 -04:00
parent bcaff30a7d
commit 6f60ddd2f5
12 changed files with 348 additions and 174 deletions
--- a/tests/user/test_challenges.py
+++ b/tests/user/test_challenges.py
@@ -0,0 +1,149 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+from CTFd.models import Teams, Solves, WrongKeys
+from CTFd.utils import get_config, set_config
+from CTFd import utils
+from tests.helpers import *
+from freezegun import freeze_time
+from mock import patch
+import json
+
+
+def test_user_get_challenges():
+    """Can a registered user load /challenges"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        r = client.get('/challenges')
+        assert r.status_code == 200
+    destroy_ctfd(app)
+
+
+def test_user_get_chals():
+    """Can a registered user load /chals"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        r = client.get('/chals')
+        assert r.status_code == 200
+    destroy_ctfd(app)
+
+
+def test_viewing_challenges():
+    """Test that users can see added challenges"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        gen_challenge(app.db)
+        r = client.get('/chals')
+        chals = json.loads(r.get_data(as_text=True))
+        assert len(chals['game']) == 1
+    destroy_ctfd(app)
+
+
+def test_submitting_correct_flag():
+    """Test that correct flags are correct"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        chal = gen_challenge(app.db)
+        flag = gen_flag(app.db, chal=chal.id, flag='flag')
+        with client.session_transaction() as sess:
+            data = {
+                "key": 'flag',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal.id), data=data)
+        assert r.status_code == 200
+        resp = json.loads(r.data.decode('utf8'))
+        assert resp.get('status') == 1 and resp.get('message') == "Correct"
+    destroy_ctfd(app)
+
+
+def test_submitting_incorrect_flag():
+    """Test that incorrect flags are incorrect"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        chal = gen_challenge(app.db)
+        flag = gen_flag(app.db, chal=chal.id, flag='flag')
+        with client.session_transaction() as sess:
+            data = {
+                "key": 'notflag',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal.id), data=data)
+        assert r.status_code == 200
+        resp = json.loads(r.data.decode('utf8'))
+        assert resp.get('status') == 0 and resp.get('message') == "Incorrect"
+    destroy_ctfd(app)
+
+
+def test_submitting_unicode_flag():
+    """Test that users can submit a unicode flag"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        chal = gen_challenge(app.db)
+        flag = gen_flag(app.db, chal=chal.id, flag=u'你好')
+        with client.session_transaction() as sess:
+            data = {
+                "key": '你好',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal.id), data=data)
+        assert r.status_code == 200
+        resp = json.loads(r.data.decode('utf8'))
+        assert resp.get('status') == 1 and resp.get('message') == "Correct"
+    destroy_ctfd(app)
+
+
+def test_submitting_flags_with_large_ips():
+    '''Test that users with high octect IP addresses can submit flags'''
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+
+        # SQLite doesn't support BigInteger well so we can't test it properly
+        ip_addresses = ['172.18.0.1', '255.255.255.255', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']
+        for ip_address in ip_addresses:
+            # Monkeypatch get_ip
+            utils.get_ip = lambda: ip_address
+
+            # Generate challenge and flag
+            chal = gen_challenge(app.db)
+            chal_id = chal.id
+            flag = gen_flag(app.db, chal=chal.id, flag=u'correct_key')
+
+            # Submit wrong_key
+            with client.session_transaction() as sess:
+                data = {
+                    "key": 'wrong_key',
+                    "nonce": sess.get('nonce')
+                }
+            r = client.post('/chal/{}'.format(chal_id), data=data)
+            assert r.status_code == 200
+            resp = json.loads(r.data.decode('utf8'))
+            assert resp.get('status') == 0 and resp.get('message') == "Incorrect"
+            assert WrongKeys.query.filter_by(ip=ip_address).first()
+
+            # Submit correct key
+            with client.session_transaction() as sess:
+                data = {
+                    "key": 'correct_key',
+                    "nonce": sess.get('nonce')
+                }
+            r = client.post('/chal/{}'.format(chal_id), data=data)
+            assert r.status_code == 200
+            resp = json.loads(r.data.decode('utf8'))
+            assert resp.get('status') == 1 and resp.get('message') == "Correct"
+            assert Solves.query.filter_by(ip=ip_address).first()
+    destroy_ctfd(app)