diff --git a/Dockerfile b/Dockerfile index bf0a3679a..5c449c9a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,9 @@ COPY requirements.txt requirements.txt RUN pip install --no-cache-dir -r requirements.txt +# copy project +COPY . /app/ + # install pygoat EXPOSE 8000 diff --git a/README.md b/README.md index a66cf066f..7d8202ec7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# PyGoat +# PyGoat. [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-) @@ -126,3 +126,16 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! +blabla bla bla bla +blaaaaaa +rrrrr +dddd +eeeee +JITTTT +maptoenum +color +aaaaaaa +aa111aa +lllllllll +yaba +dgkjesh diff --git a/introduction/apis.py b/introduction/apis.py index baa6646da..a434539e0 100644 --- a/introduction/apis.py +++ b/introduction/apis.py @@ -4,6 +4,7 @@ from introduction.playground.A9.main import Log from introduction.playground.A6.utility import check_vuln from django.contrib.auth import login,authenticate +from .utility import * from django.views.decorators.csrf import csrf_exempt import time from .views import authentication_decorator @@ -17,10 +18,33 @@ def ssrf_code_checker(request): if request.user.is_authenticated: if request.method == 'POST': + python_code = request.POST['python_code'] + html_code = request.POST['html_code'] + if not (ssrf_code_converter(python_code)): + return JsonResponse({"status": "error", "message": "Invalid code"}) + test_bench1 = ssrf_html_input_extractor(html_code) + + if (len(test_bench1) >4): + return JsonResponse({'message':'too many inputs in Html\n Try again'},status = 400) + test_bench2 = ['secret.txt'] + correct_output1 = [{"blog": "blog1-passed"}, {"blog": "blog2-passed"}, {"blog": "blog3-passed"}, {"blog": "blog4-passed"}] + outputs = [] + for inputs in test_bench1: + outputs.append(main.ssrf_lab(inputs)) + if outputs == correct_output1: + outputs = [] + else: + return JsonResponse({'message':'Testbench failed, Code is not working\n Try again'},status = 200) + + correct_output2 = [{"blog": "No blog found"}] + for inputs in test_bench2: + outputs.append(main.ssrf_lab(inputs)) + if outputs == correct_output2: + return JsonResponse({'message':'Congratulation, you have written a secure code.', 'passed':1}, status = 200) return JsonResponse({'message':'Test bench passed but the code is not secure'}, status = 200,safe = False) else: - return JsonResponse({'message':'1method not allowed'},status = 405) + return JsonResponse({'message':'method not allowed'},status = 405) else: return JsonResponse({'message':'UnAuthenticated User'},status = 401) @@ -58,7 +82,7 @@ def log_function_checker(request): f.close() return JsonResponse({"message":"success", "logs": lines},status = 200) else: - return JsonResponse({"message":"2method not allowed"},status = 405) + return JsonResponse({"message":"method not allowed"},status = 405) #a7 codechecking api @csrf_exempt @@ -96,7 +120,7 @@ def A6_disscussion_api(request): @csrf_exempt def A6_disscussion_api_2(request): if request.method != 'POST': - return JsonResponse({"message":"3method not allowed"},status = 405) + return JsonResponse({"message":"method not allowed"},status = 405) try: code = request.POST.get('code') dirname = os.path.dirname(__file__) diff --git a/introduction/mitre.py b/introduction/mitre.py index a7a5a77c9..419bfb8c9 100644 --- a/introduction/mitre.py +++ b/introduction/mitre.py @@ -210,6 +210,11 @@ def csrf_transfer_monei_api(request,recipent,amount): # @authentication_decorator @csrf_exempt def mitre_lab_25_api(request): + if request.method == "POST": + expression = request.POST.get('expression') + result = eval(expression) + return JsonResponse({'result': result}) + else: return redirect('/mitre/25/lab/') diff --git a/introduction/static/css/dark-theme.css b/introduction/static/css/dark-theme.css index cdb9a007a..417fa0360 100644 --- a/introduction/static/css/dark-theme.css +++ b/introduction/static/css/dark-theme.css @@ -406,6 +406,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #owasp10_2017 { width: 90%; @@ -416,6 +417,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #sidebar li ul a #owasp10_2021 { @@ -440,6 +442,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0 0 0; } #homeSubmenu { @@ -461,6 +464,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #challengeSubmenu { width: 95%; @@ -484,6 +488,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #mitre25 { width: 90%; @@ -494,6 +499,7 @@ h2 { padding: 17px; border-radius: 10px; text-align: center; + padding: 13% 0% 0% 0%; } #stylesheet-toggle{ diff --git a/introduction/views.py b/introduction/views.py index 081987d3a..6cdfb7baf 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -156,7 +156,9 @@ def sql_lab(request): print(sql_query) try: print("\nin try\n") - val="" + val=login.objects.raw(sql_query) + val=login.objects.raw(sql_query) + val=login.objects.raw(sql_query) except: print("\nin except\n") return render(