mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 14:04:20 +01:00
adc70fb320
Alpha release of CTFd v3.
# 3.0.0a1 / 2020-07-01
**General**
- CTFd is now Python 3 only
- Render markdown with the CommonMark spec provided by `cmarkgfm`
- Render markdown stripped of any malicious JavaScript or HTML.
- This is a significant change from previous versions of CTFd where any HTML content from an admin was considered safe.
- Inject `Config`, `User`, `Team`, `Session`, and `Plugin` globals into Jinja
- User sessions no longer store any user-specific attributes.
- Sessions only store the user's ID, CSRF nonce, and an hmac of the user's password
- This allows for session invalidation on password changes
- The user facing side of CTFd now has user and team searching
- GeoIP support now available for converting IP addresses to guessed countries
**Admin Panel**
- Use EasyMDE as an improved description/text editor for Markdown enabled fields.
- Media Library button now integrated into EasyMDE enabled fields
- VueJS now used as the underlying implementation for the Media Library
- Fix setting theme color in Admin Panel
- Green outline border has been removed from the Admin Panel
**API**
- Significant overhauls in API documentation provided by Swagger UI and Swagger json
- Make almost all API endpoints provide filtering and searching capabilities
- Change `GET /api/v1/config/<config_key>` to return structured data according to ConfigSchema
**Themes**
- Themes now have access to the `Configs` global which provides wrapped access to `get_config`.
- For example, `{{ Configs.ctf_name }}` instead of `get_ctf_name()` or `get_config('ctf_name')`
- Themes must now specify a `challenge.html` which control how a challenge should look.
- The main library for charts has been changed from Plotly to Apache ECharts.
- Forms have been moved into wtforms for easier form rendering inside of Jinja.
- From Jinja you can access forms via the Forms global i.e. `{{ Forms }}`
- This allows theme developers to more easily re-use a form without having to copy-paste HTML.
- Themes can now provide a theme settings JSON blob which can be injected into the theme with `{{ Configs.theme_settings }}`
- Core theme now includes the challenge ID in location hash identifiers to always refer the right challenge despite duplicate names
**Plugins**
- Challenge plugins have changed in structure to better allow integration with themes and prevent obtrusive Javascript/XSS.
- Challenge rendering now uses `challenge.html` from the provided theme.
- Accessing the challenge view content is now provided by `/api/v1/challenges/<challenge_id>` in the `view` section. This allows for HTML to be properly sanitized and rendered by the server allowing CTFd to remove client side Jinja rendering.
- `challenge.html` now specifies what's required and what's rendered by the theme. This allows the challenge plugin to avoid having to deal with aspects of the challenge besides the description and input.
- A more complete migration guide will be provided when CTFd v3 leaves beta
- Display current attempt count in challenge view when max attempts is enabled
- `get_standings()`, `get_team_stanadings()`, `get_user_standings()` now has a fields keyword argument that allows for specificying additional fields that SQLAlchemy should return when building the response set.
- Useful for gathering additional data when building scoreboard pages
- Flags can now control the message that is shown to the user by raising `FlagException`
- Fix `override_template()` functionality
**Deployment**
- Enable SQLAlchemy's `pool_pre_ping` by default to reduce the likelihood of database connection issues
- Mailgun email settings are now deprecated. Admins should move to SMTP email settings instead.
- Postgres is now considered a second class citizen in CTFd. It is tested against but not a main database backend. If you use Postgres, you are entirely on your own with regards to supporting CTFd.
- Docker image now uses Debian instead of Alpine. See https://github.com/CTFd/CTFd/issues/1215 for rationale.
- `docker-compose.yml` now uses a non-root user to connect to MySQL/MariaDB
- `config.py` should no longer be editting for configuration, instead edit `config.ini` or the environment variables in `docker-compose.yml`
415 lines
14 KiB
Python
415 lines
14 KiB
Python
import os
|
|
|
|
from flask import Blueprint, abort
|
|
from flask import current_app as app
|
|
from flask import redirect, render_template, request, send_file, session, url_for
|
|
from flask.helpers import safe_join
|
|
from sqlalchemy.exc import IntegrityError
|
|
|
|
from CTFd.cache import cache
|
|
from CTFd.constants.config import (
|
|
AccountVisibilityTypes,
|
|
ChallengeVisibilityTypes,
|
|
ConfigTypes,
|
|
RegistrationVisibilityTypes,
|
|
ScoreVisibilityTypes,
|
|
)
|
|
from CTFd.models import (
|
|
Admins,
|
|
Files,
|
|
Notifications,
|
|
Pages,
|
|
Teams,
|
|
Users,
|
|
UserTokens,
|
|
db,
|
|
)
|
|
from CTFd.utils import config, get_config, set_config
|
|
from CTFd.utils import user as current_user
|
|
from CTFd.utils import validators
|
|
from CTFd.utils.config import is_setup
|
|
from CTFd.utils.config.pages import get_page
|
|
from CTFd.utils.config.visibility import challenges_visible
|
|
from CTFd.utils.dates import ctf_ended, ctftime, view_after_ctf
|
|
from CTFd.utils.decorators import authed_only
|
|
from CTFd.utils.email import (
|
|
DEFAULT_PASSWORD_RESET_BODY,
|
|
DEFAULT_PASSWORD_RESET_SUBJECT,
|
|
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_BODY,
|
|
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_SUBJECT,
|
|
DEFAULT_USER_CREATION_EMAIL_BODY,
|
|
DEFAULT_USER_CREATION_EMAIL_SUBJECT,
|
|
DEFAULT_VERIFICATION_EMAIL_BODY,
|
|
DEFAULT_VERIFICATION_EMAIL_SUBJECT,
|
|
)
|
|
from CTFd.utils.helpers import get_errors, get_infos, markup
|
|
from CTFd.utils.modes import USERS_MODE
|
|
from CTFd.utils.security.auth import login_user
|
|
from CTFd.utils.security.csrf import generate_nonce
|
|
from CTFd.utils.security.signing import (
|
|
BadSignature,
|
|
BadTimeSignature,
|
|
SignatureExpired,
|
|
serialize,
|
|
unserialize,
|
|
)
|
|
from CTFd.utils.uploads import get_uploader
|
|
from CTFd.utils.user import authed, get_current_user, is_admin
|
|
|
|
views = Blueprint("views", __name__)
|
|
|
|
|
|
@views.route("/setup", methods=["GET", "POST"])
|
|
def setup():
|
|
errors = get_errors()
|
|
if not config.is_setup():
|
|
if not session.get("nonce"):
|
|
session["nonce"] = generate_nonce()
|
|
if request.method == "POST":
|
|
# General
|
|
ctf_name = request.form.get("ctf_name")
|
|
ctf_description = request.form.get("ctf_description")
|
|
user_mode = request.form.get("user_mode", USERS_MODE)
|
|
set_config("ctf_name", ctf_name)
|
|
set_config("ctf_description", ctf_description)
|
|
set_config("user_mode", user_mode)
|
|
|
|
# Style
|
|
theme = request.form.get("ctf_theme", "core")
|
|
set_config("ctf_theme", theme)
|
|
theme_color = request.form.get("theme_color")
|
|
theme_header = get_config("theme_header")
|
|
if theme_color and bool(theme_header) is False:
|
|
# Uses {{ and }} to insert curly braces while using the format method
|
|
css = (
|
|
'<style id="theme-color">\n'
|
|
":root {{--theme-color: {theme_color};}}\n"
|
|
".navbar{{background-color: var(--theme-color) !important;}}\n"
|
|
".jumbotron{{background-color: var(--theme-color) !important;}}\n"
|
|
"</style>\n"
|
|
).format(theme_color=theme_color)
|
|
set_config("theme_header", css)
|
|
|
|
# DateTime
|
|
start = request.form.get("start")
|
|
end = request.form.get("end")
|
|
set_config("start", start)
|
|
set_config("end", end)
|
|
set_config("freeze", None)
|
|
|
|
# Administration
|
|
name = request.form["name"]
|
|
email = request.form["email"]
|
|
password = request.form["password"]
|
|
|
|
name_len = len(name) == 0
|
|
names = Users.query.add_columns("name", "id").filter_by(name=name).first()
|
|
emails = (
|
|
Users.query.add_columns("email", "id").filter_by(email=email).first()
|
|
)
|
|
pass_short = len(password) == 0
|
|
pass_long = len(password) > 128
|
|
valid_email = validators.validate_email(request.form["email"])
|
|
team_name_email_check = validators.validate_email(name)
|
|
|
|
if not valid_email:
|
|
errors.append("Please enter a valid email address")
|
|
if names:
|
|
errors.append("That user name is already taken")
|
|
if team_name_email_check is True:
|
|
errors.append("Your user name cannot be an email address")
|
|
if emails:
|
|
errors.append("That email has already been used")
|
|
if pass_short:
|
|
errors.append("Pick a longer password")
|
|
if pass_long:
|
|
errors.append("Pick a shorter password")
|
|
if name_len:
|
|
errors.append("Pick a longer user name")
|
|
|
|
if len(errors) > 0:
|
|
return render_template(
|
|
"setup.html",
|
|
errors=errors,
|
|
name=name,
|
|
email=email,
|
|
password=password,
|
|
state=serialize(generate_nonce()),
|
|
)
|
|
|
|
admin = Admins(
|
|
name=name, email=email, password=password, type="admin", hidden=True
|
|
)
|
|
|
|
# Index page
|
|
|
|
index = """<div class="row">
|
|
<div class="col-md-6 offset-md-3">
|
|
<img class="w-100 mx-auto d-block" style="max-width: 500px;padding: 50px;padding-top: 14vh;" src="themes/core/static/img/logo.png" />
|
|
<h3 class="text-center">
|
|
<p>A cool CTF platform from <a href="https://ctfd.io">ctfd.io</a></p>
|
|
<p>Follow us on social media:</p>
|
|
<a href="https://twitter.com/ctfdio"><i class="fab fa-twitter fa-2x" aria-hidden="true"></i></a>
|
|
<a href="https://facebook.com/ctfdio"><i class="fab fa-facebook fa-2x" aria-hidden="true"></i></a>
|
|
<a href="https://github.com/ctfd"><i class="fab fa-github fa-2x" aria-hidden="true"></i></a>
|
|
</h3>
|
|
<br>
|
|
<h4 class="text-center">
|
|
<a href="admin">Click here</a> to login and setup your CTF
|
|
</h4>
|
|
</div>
|
|
</div>"""
|
|
|
|
page = Pages(title=None, route="index", content=index, draft=False)
|
|
|
|
# Visibility
|
|
set_config(
|
|
ConfigTypes.CHALLENGE_VISIBILITY, ChallengeVisibilityTypes.PRIVATE
|
|
)
|
|
set_config(
|
|
ConfigTypes.REGISTRATION_VISIBILITY, RegistrationVisibilityTypes.PUBLIC
|
|
)
|
|
set_config(ConfigTypes.SCORE_VISIBILITY, ScoreVisibilityTypes.PUBLIC)
|
|
set_config(ConfigTypes.ACCOUNT_VISIBILITY, AccountVisibilityTypes.PUBLIC)
|
|
|
|
# Verify emails
|
|
set_config("verify_emails", None)
|
|
|
|
set_config("mail_server", None)
|
|
set_config("mail_port", None)
|
|
set_config("mail_tls", None)
|
|
set_config("mail_ssl", None)
|
|
set_config("mail_username", None)
|
|
set_config("mail_password", None)
|
|
set_config("mail_useauth", None)
|
|
|
|
# Set up default emails
|
|
set_config("verification_email_subject", DEFAULT_VERIFICATION_EMAIL_SUBJECT)
|
|
set_config("verification_email_body", DEFAULT_VERIFICATION_EMAIL_BODY)
|
|
|
|
set_config(
|
|
"successful_registration_email_subject",
|
|
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_SUBJECT,
|
|
)
|
|
set_config(
|
|
"successful_registration_email_body",
|
|
DEFAULT_SUCCESSFUL_REGISTRATION_EMAIL_BODY,
|
|
)
|
|
|
|
set_config(
|
|
"user_creation_email_subject", DEFAULT_USER_CREATION_EMAIL_SUBJECT
|
|
)
|
|
set_config("user_creation_email_body", DEFAULT_USER_CREATION_EMAIL_BODY)
|
|
|
|
set_config("password_reset_subject", DEFAULT_PASSWORD_RESET_SUBJECT)
|
|
set_config("password_reset_body", DEFAULT_PASSWORD_RESET_BODY)
|
|
|
|
set_config(
|
|
"password_change_alert_subject",
|
|
"Password Change Confirmation for {ctf_name}",
|
|
)
|
|
set_config(
|
|
"password_change_alert_body",
|
|
(
|
|
"Your password for {ctf_name} has been changed.\n\n"
|
|
"If you didn't request a password change you can reset your password here: {url}"
|
|
),
|
|
)
|
|
|
|
set_config("setup", True)
|
|
|
|
try:
|
|
db.session.add(admin)
|
|
db.session.commit()
|
|
except IntegrityError:
|
|
db.session.rollback()
|
|
|
|
try:
|
|
db.session.add(page)
|
|
db.session.commit()
|
|
except IntegrityError:
|
|
db.session.rollback()
|
|
|
|
login_user(admin)
|
|
|
|
db.session.close()
|
|
with app.app_context():
|
|
cache.clear()
|
|
|
|
return redirect(url_for("views.static_html"))
|
|
return render_template("setup.html", state=serialize(generate_nonce()))
|
|
return redirect(url_for("views.static_html"))
|
|
|
|
|
|
@views.route("/setup/integrations", methods=["GET", "POST"])
|
|
def integrations():
|
|
if is_admin() or is_setup() is False:
|
|
name = request.values.get("name")
|
|
state = request.values.get("state")
|
|
|
|
try:
|
|
state = unserialize(state, max_age=3600)
|
|
except (BadSignature, BadTimeSignature):
|
|
state = False
|
|
except Exception:
|
|
state = False
|
|
|
|
if state:
|
|
if name == "mlc":
|
|
mlc_client_id = request.values.get("mlc_client_id")
|
|
mlc_client_secret = request.values.get("mlc_client_secret")
|
|
set_config("oauth_client_id", mlc_client_id)
|
|
set_config("oauth_client_secret", mlc_client_secret)
|
|
return render_template("admin/integrations.html")
|
|
else:
|
|
abort(404)
|
|
else:
|
|
abort(403)
|
|
else:
|
|
abort(403)
|
|
|
|
|
|
@views.route("/notifications", methods=["GET"])
|
|
def notifications():
|
|
notifications = Notifications.query.order_by(Notifications.id.desc()).all()
|
|
return render_template("notifications.html", notifications=notifications)
|
|
|
|
|
|
@views.route("/settings", methods=["GET"])
|
|
@authed_only
|
|
def settings():
|
|
infos = get_infos()
|
|
|
|
user = get_current_user()
|
|
name = user.name
|
|
email = user.email
|
|
website = user.website
|
|
affiliation = user.affiliation
|
|
country = user.country
|
|
|
|
tokens = UserTokens.query.filter_by(user_id=user.id).all()
|
|
|
|
prevent_name_change = get_config("prevent_name_change")
|
|
|
|
if get_config("verify_emails") and not user.verified:
|
|
confirm_url = markup(url_for("auth.confirm"))
|
|
infos.append(
|
|
markup(
|
|
"Your email address isn't confirmed!<br>"
|
|
"Please check your email to confirm your email address.<br><br>"
|
|
f'To have the confirmation email resent please <a href="{confirm_url}">click here</a>.'
|
|
)
|
|
)
|
|
|
|
return render_template(
|
|
"settings.html",
|
|
name=name,
|
|
email=email,
|
|
website=website,
|
|
affiliation=affiliation,
|
|
country=country,
|
|
tokens=tokens,
|
|
prevent_name_change=prevent_name_change,
|
|
infos=infos,
|
|
)
|
|
|
|
|
|
@views.route("/", defaults={"route": "index"})
|
|
@views.route("/<path:route>")
|
|
def static_html(route):
|
|
"""
|
|
Route in charge of routing users to Pages.
|
|
:param route:
|
|
:return:
|
|
"""
|
|
page = get_page(route)
|
|
if page is None:
|
|
abort(404)
|
|
else:
|
|
if page.auth_required and authed() is False:
|
|
return redirect(url_for("auth.login", next=request.full_path))
|
|
|
|
return render_template("page.html", content=page.content)
|
|
|
|
|
|
@views.route("/files", defaults={"path": ""})
|
|
@views.route("/files/<path:path>")
|
|
def files(path):
|
|
"""
|
|
Route in charge of dealing with making sure that CTF challenges are only accessible during the competition.
|
|
:param path:
|
|
:return:
|
|
"""
|
|
f = Files.query.filter_by(location=path).first_or_404()
|
|
if f.type == "challenge":
|
|
if challenges_visible():
|
|
if current_user.is_admin() is False:
|
|
if not ctftime():
|
|
if ctf_ended() and view_after_ctf():
|
|
pass
|
|
else:
|
|
abort(403)
|
|
else:
|
|
if not ctftime():
|
|
abort(403)
|
|
|
|
# Allow downloads if a valid token is provided
|
|
token = request.args.get("token", "")
|
|
try:
|
|
data = unserialize(token, max_age=3600)
|
|
user_id = data.get("user_id")
|
|
team_id = data.get("team_id")
|
|
file_id = data.get("file_id")
|
|
user = Users.query.filter_by(id=user_id).first()
|
|
team = Teams.query.filter_by(id=team_id).first()
|
|
|
|
# Check user is admin if challenge_visibility is admins only
|
|
if (
|
|
get_config(ConfigTypes.CHALLENGE_VISIBILITY) == "admins"
|
|
and user.type != "admin"
|
|
):
|
|
abort(403)
|
|
|
|
# Check that the user exists and isn't banned
|
|
if user:
|
|
if user.banned:
|
|
abort(403)
|
|
else:
|
|
abort(403)
|
|
|
|
# Check that the team isn't banned
|
|
if team:
|
|
if team.banned:
|
|
abort(403)
|
|
else:
|
|
pass
|
|
|
|
# Check that the token properly refers to the file
|
|
if file_id != f.id:
|
|
abort(403)
|
|
|
|
# The token isn't expired or broken
|
|
except (BadTimeSignature, SignatureExpired, BadSignature):
|
|
abort(403)
|
|
|
|
uploader = get_uploader()
|
|
try:
|
|
return uploader.download(f.location)
|
|
except IOError:
|
|
abort(404)
|
|
|
|
|
|
@views.route("/themes/<theme>/static/<path:path>")
|
|
def themes(theme, path):
|
|
"""
|
|
General static file handler
|
|
:param theme:
|
|
:param path:
|
|
:return:
|
|
"""
|
|
filename = safe_join(app.root_path, "themes", theme, "static", path)
|
|
if os.path.isfile(filename):
|
|
return send_file(filename)
|
|
else:
|
|
abort(404)
|