From aa00f3d91d70ed3bbef35f3fccd095a146af0371 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:30:30 +0000 Subject: [PATCH 1/4] Patched /tmp/tmplsnd8dep/introduction/playground/A6/utility.py --- introduction/playground/A6/utility.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/introduction/playground/A6/utility.py b/introduction/playground/A6/utility.py index ee85180..87a802a 100644 --- a/introduction/playground/A6/utility.py +++ b/introduction/playground/A6/utility.py @@ -6,10 +6,10 @@ def check_vuln(list_of_modules)->list: for i in list_of_modules: k = i.split("==") url = f"https://pypi.org/pypi/{k[0]}/{k[1]}/json" - response = requests.get(url) + response = requests.get(url, timeout=10) response.raise_for_status() info = response.json() existing_vuln = info['vulnerabilities'] if len(existing_vuln) > 0: vulns.append(existing_vuln) - return vulns \ No newline at end of file + return vulns From 1fb8648a852cb085d03efdc8ee42101bbc2793e9 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:30:30 +0000 Subject: [PATCH 2/4] Patched /tmp/tmplsnd8dep/introduction/playground/A6/soln.py --- introduction/playground/A6/soln.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/introduction/playground/A6/soln.py b/introduction/playground/A6/soln.py index ee85180..ce26f89 100644 --- a/introduction/playground/A6/soln.py +++ b/introduction/playground/A6/soln.py @@ -6,10 +6,10 @@ def check_vuln(list_of_modules)->list: for i in list_of_modules: k = i.split("==") url = f"https://pypi.org/pypi/{k[0]}/{k[1]}/json" - response = requests.get(url) + response = requests.get(url, timeout=10) response.raise_for_status() info = response.json() existing_vuln = info['vulnerabilities'] if len(existing_vuln) > 0: - vulns.append(existing_vuln) + vulns.append(existing_vuln) return vulns \ No newline at end of file From e2ae36850f941648740084b533f8723b35226ddd Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:30:30 +0000 Subject: [PATCH 3/4] Patched /tmp/tmplsnd8dep/introduction/views.py --- introduction/views.py | 56 ++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/introduction/views.py b/introduction/views.py index 0f550c4..2808dfb 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -202,6 +202,9 @@ class TestUser: encoded_user = base64.b64encode(pickled_user) def insec_des_lab(request): + from jsonschema import validate, ValidationError + import json + if request.user.is_authenticated: response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Only Admins can see this page"}) token = request.COOKIES.get('token') @@ -210,15 +213,27 @@ def insec_des_lab(request): response.set_cookie(key='token',value=token.decode('utf-8')) else: token = base64.b64decode(token) - admin = pickle.loads(token) - if admin.admin == 1: - response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Welcome Admin, SECRETKEY:ADMIN123"}) - return response + intermediary_schema = { + "type": "object", + "properties": { + "admin": {"type": "integer"} + }, + "required": ["admin"], + "additionalProperties": False, + } + try: + intermediary_object = json.loads(token) + validate(instance=intermediary_object, schema=intermediary_schema) + if intermediary_object['admin'] == 1: + response = render(request,'Lab/insec_des/insec_des_lab.html', {"message":"Welcome Admin, SECRETKEY:ADMIN123"}) + return response + except (ValidationError, json.JSONDecodeError): + # Handle validation errors gracefully + # ... return response else: return redirect('login') - #****************************************************XXE********************************************************# @@ -248,21 +263,14 @@ def xxe_see(request): @csrf_exempt def xxe_parse(request): - - parser = make_parser() - parser.setFeature(feature_external_ges, True) - doc = parseString(request.body.decode('utf-8'), parser=parser) - for event, node in doc: - if event == START_ELEMENT and node.tagName == 'text': - doc.expandNode(node) - text = node.toxml() - startInd = text.find('>') - endInd = text.find('<', startInd) - text = text[startInd + 1:endInd:] + from defusedxml.ElementTree import fromstring + xml_data = request.body.decode('utf-8') + doc = fromstring(xml_data) + text = '' + for node in doc.getElementsByTagName('text'): + text = node.firstChild.nodeValue if node.firstChild else '' p=comments.objects.filter(id=1).update(comment=text) - return render(request, 'Lab/XXE/xxe_lab.html') - def auth_home(request): return render(request,'Lab/AUTH/auth_home.html') @@ -414,22 +422,18 @@ def cmd_lab(request): os=request.POST.get('os') print(os) if(os=='win'): - command="nslookup {}".format(domain) + command=["nslookup", domain] else: - command = "dig {}".format(domain) + command = ["dig", domain] try: - # output=subprocess.check_output(command,shell=True,encoding="UTF-8") process = subprocess.Popen( command, - shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = process.communicate() data = stdout.decode('utf-8') stderr = stderr.decode('utf-8') - # res = json.loads(data) - # print("Stdout\n" + data) output = data + stderr print(data + stderr) except: @@ -441,7 +445,6 @@ def cmd_lab(request): return render(request, 'Lab/CMD/cmd_lab.html') else: return redirect('login') - @csrf_exempt def cmd_lab2(request): if request.user.is_authenticated: @@ -450,7 +453,7 @@ def cmd_lab2(request): print(val) try: - output = eval(val) + output = json.loads(val) except: output = "Something went wrong" return render(request,'Lab/CMD/cmd_lab2.html',{"output":output}) @@ -460,7 +463,6 @@ def cmd_lab2(request): return render(request, 'Lab/CMD/cmd_lab2.html') else: return redirect('login') - #******************************************Broken Authentication**************************************************# def bau(request): From a4914d992276c9eb3e4be7b082515607ed8401b9 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Fri, 6 Sep 2024 03:30:30 +0000 Subject: [PATCH 4/4] Patched /tmp/tmplsnd8dep/introduction/mitre.py --- introduction/mitre.py | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/introduction/mitre.py b/introduction/mitre.py index c899c21..71c78dd 100644 --- a/introduction/mitre.py +++ b/introduction/mitre.py @@ -152,13 +152,28 @@ def mitre_top25(request): return render(request, 'mitre/mitre_top25.html') @authentication_decorator +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from cryptography.hazmat.backends import default_backend + +import os + + def csrf_lab_login(request): if request.method == 'GET': return render(request, 'mitre/csrf_lab_login.html') elif request.method == 'POST': password = request.POST.get('password') username = request.POST.get('username') - password = md5(password.encode()).hexdigest() + salt = os.urandom(16) + kdf = PBKDF2HMAC( + algorithm=hashes.SHA384(), + length=32, + salt=salt, + iterations=100000, + backend=default_backend() + ) + password = kdf.derive(password.encode()) User = CSRF_user_tbl.objects.filter(username=username, password=password) if User: payload ={ @@ -172,7 +187,6 @@ def csrf_lab_login(request): return response else : return redirect('/mitre/9/lab/login') - @authentication_decorator @csrf_exempt def csrf_transfer_monei(request): @@ -215,12 +229,15 @@ def csrf_transfer_monei_api(request,recipent,amount): def mitre_lab_25_api(request): if request.method == "POST": expression = request.POST.get('expression') - result = eval(expression) + # Replace eval with a safer alternative + try: + result = json.loads(expression) + except (ValueError, TypeError) as e: + return JsonResponse({'error': str(e)}, status=400) return JsonResponse({'result': result}) else: return redirect('/mitre/25/lab/') - @authentication_decorator def mitre_lab_25(request): return render(request, 'mitre/mitre_lab_25.html') @@ -230,9 +247,8 @@ def mitre_lab_17(request): return render(request, 'mitre/mitre_lab_17.html') def command_out(command): - process = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - return process.communicate() - + process = subprocess.Popen(command, shell=False, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + return process.communicate() @csrf_exempt def mitre_lab_17_api(request):