mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 05:54:19 +01:00
36c83b59bc
* Changing to a new plugin oriented challenge type plugin and fixing extra width on admin chal description * Add window.challenge.submit, renderSubmissionResponse, and csrf_nonce * Update admin side renderer calls * Updating to Flask 1.0 and adding files for flask run * Adding a preliminary case-insensitive key * Adding case insensitive keys * Adding CTF Logo * Reducing the amount of team information shown on the main page * Add better base64 helpers * Switch from button to badge * Rudimentary solve checking from admin panel * Refine admin chals solves view & fix PEP8 * Compare base64 encoded data with bytestring * Removing need to urlencode/urldecode in base64 wrappers * Adding decorator documentation * Randomly order tests & add test for case_insensitive flags * Add regex flag case_insensitive test * Add tests for /admin/chal/1/solves and ctf_logo
202 lines
7.0 KiB
Python
202 lines
7.0 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from CTFd.models import Teams, Solves, WrongKeys
|
|
from CTFd.utils import get_config, set_config
|
|
from CTFd import utils
|
|
from tests.helpers import *
|
|
from freezegun import freeze_time
|
|
from mock import patch
|
|
import json
|
|
|
|
|
|
def test_user_can_view_challenges():
|
|
"""Test that user_can_view_challenges allows users to view challenges while not logged in"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('view_challenges_unregistered', True)
|
|
utils.cache.clear() # Need to clear the cached configuration
|
|
chal = gen_challenge(app.db)
|
|
with app.test_client() as client:
|
|
r = client.get('/challenges')
|
|
assert r.status_code == 200
|
|
r = client.get('/chals')
|
|
assert r.status_code == 200
|
|
utils.cache.clear() # Need to clear the cached configuration
|
|
set_config('view_challenges_unregistered', False)
|
|
with app.test_client() as client:
|
|
r = client.get('/challenges')
|
|
assert r.status_code == 302
|
|
r = client.get('/chals')
|
|
assert r.status_code == 403
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_verify_emails_config():
|
|
"""Test that users can only solve challenges if they are logged in and verified if verify_emails is set"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
utils.cache.clear() # Need to clear the cached configuration
|
|
set_config('verify_emails', True)
|
|
chal = gen_challenge(app.db)
|
|
|
|
register_user(app)
|
|
client = login_as_user(app)
|
|
|
|
r = client.get('/challenges')
|
|
assert r.location == "http://localhost/confirm"
|
|
assert r.status_code == 302
|
|
|
|
r = client.get('/chals')
|
|
assert r.location == "http://localhost/confirm"
|
|
assert r.status_code == 302
|
|
|
|
user = Teams.query.filter_by(id=2).first()
|
|
user.verified = True
|
|
app.db.session.commit()
|
|
|
|
r = client.get('/challenges')
|
|
assert r.status_code == 200
|
|
|
|
r = client.get('/chals')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_verify_and_view_unregistered():
|
|
"""If both verify_emails and user_can_view_challenges are set, the user should see challenges while unregistered
|
|
but be locked out if they register until they confirm their email address"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
utils.cache.clear() # Need to clear the cached configuration
|
|
set_config('view_challenges_unregistered', True)
|
|
set_config('verify_emails', True)
|
|
chal = gen_challenge(app.db)
|
|
|
|
# We are not authed but we should still be able to see challenges
|
|
with app.test_client() as client:
|
|
r = client.get('/challenges')
|
|
assert r.status_code == 200
|
|
|
|
r = client.get('/chals')
|
|
assert r.status_code == 200
|
|
|
|
# Logging in...
|
|
register_user(app)
|
|
client = login_as_user(app)
|
|
|
|
# We are now logged in so we should be redirected to the confirmation page
|
|
r = client.get('/challenges')
|
|
assert r.location == "http://localhost/confirm"
|
|
assert r.status_code == 302
|
|
|
|
r = client.get('/chals')
|
|
assert r.location == "http://localhost/confirm"
|
|
assert r.status_code == 302
|
|
|
|
user = Teams.query.filter_by(id=2).first()
|
|
user.verified = True
|
|
app.db.session.commit()
|
|
|
|
# Double check that we can see challenges
|
|
r = client.get('/challenges')
|
|
assert r.status_code == 200
|
|
|
|
r = client.get('/chals')
|
|
assert r.status_code == 200
|
|
destroy_ctfd(app)
|
|
|
|
|
|
@freeze_time("2019-02-24 03:21:34")
|
|
def test_expired_confirmation_links():
|
|
"""Test that expired confirmation links are reported to the user"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('verify_emails', True)
|
|
|
|
register_user(app, email="user@user.com")
|
|
client = login_as_user(app, name="user", password="password")
|
|
|
|
# user@user.com "2012-01-14 03:21:34"
|
|
confirm_link = 'http://localhost/confirm/InVzZXJAdXNlci5jb20iLkFmS0dQZy5kLUJnVkgwaUhadzFHaXVENHczWTJCVVJwdWc'
|
|
r = client.get(confirm_link)
|
|
|
|
assert "Your confirmation link has expired" in r.get_data(as_text=True)
|
|
team = Teams.query.filter_by(email='user@user.com').first()
|
|
assert team.verified is not True
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_invalid_confirmation_links():
|
|
"""Test that invalid confirmation links are reported to the user"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('verify_emails', True)
|
|
|
|
register_user(app, email="user@user.com")
|
|
client = login_as_user(app, name="user", password="password")
|
|
|
|
# user@user.com "2012-01-14 03:21:34"
|
|
confirm_link = 'http://localhost/confirm/a8375iyu<script>alert(1)<script>hn3048wueorighkgnsfg'
|
|
r = client.get(confirm_link)
|
|
|
|
assert "Your confirmation token is invalid" in r.get_data(as_text=True)
|
|
team = Teams.query.filter_by(email='user@user.com').first()
|
|
assert team.verified is not True
|
|
destroy_ctfd(app)
|
|
|
|
|
|
@freeze_time("2019-02-24 03:21:34")
|
|
def test_expired_reset_password_link():
|
|
"""Test that expired reset password links are reported to the user"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('mail_server', 'localhost')
|
|
set_config('mail_port', 25)
|
|
set_config('mail_username', 'username')
|
|
set_config('mail_password', 'password')
|
|
|
|
register_user(app, name="user1", email="user@user.com")
|
|
|
|
with app.test_client() as client:
|
|
# user@user.com "2012-01-14 03:21:34"
|
|
forgot_link = 'http://localhost/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdwa3F5V3hR'
|
|
r = client.get(forgot_link)
|
|
|
|
assert "Your link has expired" in r.get_data(as_text=True)
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_invalid_reset_password_link():
|
|
"""Test that invalid reset password links are reported to the user"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
set_config('mail_server', 'localhost')
|
|
set_config('mail_port', 25)
|
|
set_config('mail_username', 'username')
|
|
set_config('mail_password', 'password')
|
|
|
|
register_user(app, name="user1", email="user@user.com")
|
|
|
|
with app.test_client() as client:
|
|
# user@user.com "2012-01-14 03:21:34"
|
|
forgot_link = 'http://localhost/reset_password/5678ytfghjiu876tyfg<>hvbnmkoi9u87y6trdfcgvhbnm,lp09iujmk'
|
|
r = client.get(forgot_link)
|
|
|
|
assert "Your reset token is invalid" in r.get_data(as_text=True)
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_contact_for_password_reset():
|
|
"""Test that if there is no mailserver configured, users should contact admins"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
register_user(app, name="user1", email="user@user.com")
|
|
|
|
with app.test_client() as client:
|
|
forgot_link = 'http://localhost/reset_password'
|
|
r = client.get(forgot_link)
|
|
|
|
assert "Contact a CTF organizer" in r.get_data(as_text=True)
|
|
destroy_ctfd(app)
|