aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-18 06:24:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixing large ip solves (#307)

Browse Source 
* Switching to using strings to store IP addresses because of the issues with storing them properly, Fixes #302, Fixes $306
* Only runs migrations when using a real database because SQlite is too inflexible to support migrations properly
* Removes calls to the ip helper functions but they can remain in case someone needs them in a plugin.
This commit is contained in:
Kevin Chung
2017-07-08 17:53:14 -04:00
committed by GitHub
parent dea59a1bc8
commit 92f130d5de
13 changed files with 216 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
tests/test_user_facing.py
View File

@@ -2,8 +2,9 @@
# -*- coding: utf-8 -*-
from tests.helpers import *
from CTFd.models import Teams
from CTFd.models import Teams, Solves, WrongKeys
import json
from CTFd import utils
def test_index():
@@ -13,6 +14,7 @@ def test_index():
with app.test_client() as client:
r = client.get('/')
assert r.status_code == 200
destroy_ctfd(app)
def test_register_user():
@@ -22,6 +24,7 @@ def test_register_user():
register_user(app)
team_count = app.db.session.query(app.db.func.count(Teams.id)).first()[0]
assert team_count == 2 # There's the admin user and the created user
destroy_ctfd(app)
def test_register_duplicate_teamname():
@@ -32,6 +35,7 @@ def test_register_duplicate_teamname():
register_user(app, name="user1", email="user2@ctfd.io", password="password")
team_count = app.db.session.query(app.db.func.count(Teams.id)).first()[0]
assert team_count == 2 # There's the admin user and the first created user
destroy_ctfd(app)
def test_register_duplicate_email():
@@ -42,6 +46,7 @@ def test_register_duplicate_email():
register_user(app, name="user2", email="user1@ctfd.io", password="password")
team_count = app.db.session.query(app.db.func.count(Teams.id)).first()[0]
assert team_count == 2 # There's the admin user and the first created user
destroy_ctfd(app)
def test_user_bad_login():
@@ -52,6 +57,7 @@ def test_user_bad_login():
client = login_as_user(app, name="user", password="wrong_password")
r = client.get('/profile')
assert r.location.startswith("http://localhost/login") # We got redirected to login
destroy_ctfd(app)
def test_user_login():
@@ -63,6 +69,7 @@ def test_user_login():
r = client.get('/profile')
assert r.location != "http://localhost/login" # We didn't get redirected to login
assert r.status_code == 200
destroy_ctfd(app)
def test_user_isnt_admin():
@@ -74,6 +81,7 @@ def test_user_isnt_admin():
r = client.get('/admin/graphs')
assert r.location == "http://localhost/login"
assert r.status_code == 302
destroy_ctfd(app)
def test_user_get_teams():
@@ -84,6 +92,7 @@ def test_user_get_teams():
client = login_as_user(app)
r = client.get('/teams')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_scoreboard():
@@ -94,6 +103,7 @@ def test_user_get_scoreboard():
client = login_as_user(app)
r = client.get('/scoreboard')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_scores():
@@ -104,6 +114,7 @@ def test_user_get_scores():
client = login_as_user(app)
r = client.get('/scores')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_topteams():
@@ -114,6 +125,7 @@ def test_user_get_topteams():
client = login_as_user(app)
r = client.get('/top/10')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_challenges():
@@ -124,6 +136,7 @@ def test_user_get_challenges():
client = login_as_user(app)
r = client.get('/challenges')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_chals():
@@ -134,6 +147,7 @@ def test_user_get_chals():
client = login_as_user(app)
r = client.get('/chals')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_solves_per_chal():
@@ -144,6 +158,7 @@ def test_user_get_solves_per_chal():
client = login_as_user(app)
r = client.get('/chals/solves')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_solves():
@@ -154,6 +169,7 @@ def test_user_get_solves():
client = login_as_user(app)
r = client.get('/solves')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_team_page():
@@ -164,6 +180,7 @@ def test_user_get_team_page():
client = login_as_user(app)
r = client.get('/team/2')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_profile():
@@ -174,6 +191,7 @@ def test_user_get_profile():
client = login_as_user(app)
r = client.get('/profile')
assert r.status_code == 200
destroy_ctfd(app)
def test_user_get_logout():
@@ -186,6 +204,7 @@ def test_user_get_logout():
r = client.get('/challenges')
assert r.location == "http://localhost/login?next=challenges"
assert r.status_code == 302
destroy_ctfd(app)
def test_user_get_reset_password():
@@ -196,6 +215,7 @@ def test_user_get_reset_password():
client = app.test_client()
r = client.get('/reset_password')
assert r.status_code == 200
destroy_ctfd(app)
def test_viewing_challenges():
@@ -208,6 +228,7 @@ def test_viewing_challenges():
r = client.get('/chals')
chals = json.loads(r.get_data(as_text=True))
assert len(chals['game']) == 1
destroy_ctfd(app)
def test_submitting_correct_flag():
@@ -227,6 +248,7 @@ def test_submitting_correct_flag():
assert r.status_code == 200
resp = json.loads(r.data.decode('utf8'))
assert resp.get('status') == 1 and resp.get('message') == "Correct"
destroy_ctfd(app)
def test_submitting_incorrect_flag():
@@ -246,6 +268,7 @@ def test_submitting_incorrect_flag():
assert r.status_code == 200
resp = json.loads(r.data.decode('utf8'))
assert resp.get('status') == 0 and resp.get('message') == "Incorrect"
destroy_ctfd(app)
def test_submitting_unicode_flag():
@@ -265,6 +288,50 @@ def test_submitting_unicode_flag():
assert r.status_code == 200
resp = json.loads(r.data.decode('utf8'))
assert resp.get('status') == 1 and resp.get('message') == "Correct"
destroy_ctfd(app)
def test_submitting_flags_with_large_ips():
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
# SQLite doesn't support BigInteger well so we can't test it properly
ip_addresses = ['172.18.0.1', '255.255.255.255', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']
for ip_address in ip_addresses:
# Monkeypatch get_ip
utils.get_ip = lambda: ip_address
# Generate challenge and flag
chal = gen_challenge(app.db)
chal_id = chal.id
flag = gen_flag(app.db, chal=chal.id, flag=u'correct_key')
# Submit wrong_key
with client.session_transaction() as sess:
data = {
"key": 'wrong_key',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 200
resp = json.loads(r.data.decode('utf8'))
assert resp.get('status') == 0 and resp.get('message') == "Incorrect"
assert WrongKeys.query.filter_by(ip=ip_address).first()
# Submit correct key
with client.session_transaction() as sess:
data = {
"key": 'correct_key',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 200
resp = json.loads(r.data.decode('utf8'))
assert resp.get('status') == 1 and resp.get('message') == "Correct"
assert Solves.query.filter_by(ip=ip_address).first()
destroy_ctfd(app)
def test_pages_routing_and_rendering():
@@ -279,6 +346,7 @@ def test_pages_routing_and_rendering():
r = client.get('/test')
output = r.get_data(as_text=True)
assert "<h2>The quick brown fox jumped over the lazy dog</h2>" in output
destroy_ctfd(app)
def test_themes_handler():
@@ -298,6 +366,7 @@ def test_themes_handler():
assert r.status_code == 404
r = client.get('/themes/original/static/../../../utils.py')
assert r.status_code == 404
destroy_ctfd(app)
def test_ctfd_setup_redirect():
@@ -312,3 +381,4 @@ def test_ctfd_setup_redirect():
# Files in /themes load properly
r = client.get('/themes/original/static/css/style.css')
assert r.status_code == 200
destroy_ctfd(app)