Skip to content

Commit

Permalink
Admins can bypass ctftime (CTFd#374)
Browse files Browse the repository at this point in the history
* Admins can see/solve challenges regardless of ctftime
* Adding tests for ctftime based functionality
  • Loading branch information
ColdHeat authored Sep 4, 2017
1 parent bcaff30 commit 6f60ddd
Show file tree
Hide file tree
Showing 12 changed files with 346 additions and 172 deletions.
16 changes: 8 additions & 8 deletions CTFd/challenges.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
import re
import time

from flask import render_template, request, redirect, jsonify, url_for, session, Blueprint
from flask import render_template, request, redirect, jsonify, url_for, session, Blueprint, abort
from sqlalchemy.sql import or_

from CTFd.models import db, Challenges, Files, Solves, WrongKeys, Keys, Tags, Teams, Awards, Hints, Unlocks
Expand Down Expand Up @@ -104,7 +104,7 @@ def chals():
if utils.view_after_ctf():
pass
else:
return redirect(url_for('views.static_html'))
abort(403)
if utils.user_can_view_challenges() and (utils.ctf_started() or utils.is_admin()):
chals = Challenges.query.filter(or_(Challenges.hidden != True, Challenges.hidden == None)).order_by(Challenges.value).all()
json = {'game': []}
Expand Down Expand Up @@ -136,7 +136,7 @@ def chals():
return jsonify(json)
else:
db.session.close()
return redirect(url_for('auth.login', next='chals'))
abort(403)


@challenges.route('/chals/solves')
Expand Down Expand Up @@ -250,10 +250,10 @@ def who_solved(chalid):
@challenges.route('/chal/<int:chalid>', methods=['POST'])
def chal(chalid):
if utils.ctf_ended() and not utils.view_after_ctf():
return redirect(url_for('challenges.challenges_view'))
abort(403)
if not utils.user_can_view_challenges():
return redirect(url_for('auth.login', next=request.path))
if utils.authed() and utils.is_verified() and (utils.ctf_started() or utils.view_after_ctf()):
if (utils.authed() and utils.is_verified() and (utils.ctf_started() or utils.view_after_ctf())) or utils.is_admin():
fails = WrongKeys.query.filter_by(teamid=session['id'], chalid=chalid).count()
logger = logging.getLogger('keys')
data = (time.strftime("%m/%d/%Y %X"), session['username'].encode('utf-8'), request.form['key'].encode('utf-8'), utils.get_kpm(session['id']))
Expand Down Expand Up @@ -289,15 +289,15 @@ def chal(chalid):
chal_class = get_chal_class(chal.type)
status, message = chal_class.solve(chal, provided_key)
if status: # The challenge plugin says the input is right
if utils.ctftime():
if utils.ctftime() or utils.is_admin():
solve = Solves(teamid=session['id'], chalid=chalid, ip=utils.get_ip(), flag=provided_key)
db.session.add(solve)
db.session.commit()
db.session.close()
logger.info("[{0}] {1} submitted {2} with kpm {3} [CORRECT]".format(*data))
return jsonify({'status': 1, 'message': message})
else: # The challenge plugin says the input is wrong
if utils.ctftime():
if utils.ctftime() or utils.is_admin():
wrong = WrongKeys(teamid=session['id'], chalid=chalid, ip=utils.get_ip(), flag=provided_key)
db.session.add(wrong)
db.session.commit()
Expand All @@ -324,4 +324,4 @@ def chal(chalid):
return jsonify({
'status': -1,
'message': "You must be logged in to solve a challenge"
})
}), 403
20 changes: 11 additions & 9 deletions CTFd/themes/original/templates/chals.html
Original file line number Diff line number Diff line change
Expand Up @@ -70,21 +70,21 @@

{% block content %}

<div class="jumbotron home">
<div class="container">
<h1>Challenges</h1>
</div>
</div>

{% if errors %}
<div class="container main-container">
<div id='errors' class="row">
{% for error in errors %}
<h1>{{ error }}</h1>
{% endfor %}
</div>
</div>
{% else %}
{% endif %}

<div class="jumbotron home">
<div class="container">
<h1>Challenges</h1>
</div>
</div>
{% if admin or not errors %}
<div class="container main-container">
<div id='challenges-board' class="row">
</div>
Expand Down Expand Up @@ -113,6 +113,8 @@ <h3>Hint</h3>
{% block scripts %}
<script src="{{ request.script_root }}/themes/{{ ctf_theme() }}/static/js/utils.js"></script>
<script src="{{ request.script_root }}/themes/{{ ctf_theme() }}/static/js/multi-modal.js"></script>
{% if not errors %}<script src="{{ request.script_root }}/themes/{{ ctf_theme() }}/static/js/chalboard.js"></script>{% endif %}
{% if admin or not errors %}
<script src="{{ request.script_root }}/themes/{{ ctf_theme() }}/static/js/chalboard.js"></script>
{% endif %}
<script src="{{ request.script_root }}/themes/{{ ctf_theme() }}/static/js/style.js"></script>
{% endblock %}
11 changes: 6 additions & 5 deletions CTFd/themes/original/templates/errors/403.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,14 @@

{% block content %}

<div class="row">
<h1 class="text-center">403</h1>
<h2 class="text-center">An authorization error has occured</h2>
<h2 class="text-center">Please try again</h2>
<div class="container main-container">
<div class="row">
<h1 class="text-center">403</h1>
<h2 class="text-center">An authorization error has occured</h2>
<h2 class="text-center">Please try again</h2>
</div>
</div>


{% endblock %}

{% block scripts %}
Expand Down
10 changes: 6 additions & 4 deletions CTFd/themes/original/templates/errors/404.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@

{% block content %}

<div class="row">
<h1 class="text-center">404</h1>
<h2 class="text-center">Whoops, looks like we can't find that.</h2>
<h2 class="text-center">Sorry about that</h2>
<div class="container main-container">
<div class="row">
<h1 class="text-center">404</h1>
<h2 class="text-center">Whoops, looks like we can't find that.</h2>
<h2 class="text-center">Sorry about that</h2>
</div>
</div>


Expand Down
8 changes: 5 additions & 3 deletions CTFd/themes/original/templates/errors/500.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@

{% block content %}

<div class="row">
<h1 class="text-center">500</h1>
<h2 class="text-center">An Internal Server Error has occured</h2>
<div class="container main-container">
<div class="row">
<h1 class="text-center">500</h1>
<h2 class="text-center">An Internal Server Error has occured</h2>
</div>
</div>


Expand Down
8 changes: 5 additions & 3 deletions CTFd/themes/original/templates/errors/502.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,11 @@

{% block content %}

<div class="row">
<h1 class="text-center">502</h1>
<h2 class="text-center">That action isn't allowed</h2>
<div class="container main-container">
<div class="row">
<h1 class="text-center">502</h1>
<h2 class="text-center">That action isn't allowed</h2>
</div>
</div>


Expand Down
Empty file added tests/admin/__init__.py
Empty file.
31 changes: 31 additions & 0 deletions tests/test_admin_facing.py → tests/admin/test_admin_facing.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
from tests.helpers import *
from CTFd.models import Teams
from CTFd.utils import get_config, set_config, override_template, sendmail, verify_email, ctf_started, ctf_ended
from freezegun import freeze_time
from mock import patch


def test_admin_panel():
Expand Down Expand Up @@ -72,3 +75,31 @@ def test_admin_config():
r = client.get('/admin/config')
assert r.status_code == 200
destroy_ctfd(app)


def test_admins_can_access_challenges_before_ctftime():
'''Admins can see and solve challenges despite it being before ctftime'''
app = create_ctfd()
with app.app_context():
set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
flag = gen_flag(app.db, chal=chal.id, flag=u'flag')

with freeze_time("2017-10-2"):
client = login_as_user(app, name='admin', password='password')
r = client.get('/chals')
assert r.status_code == 200

with client.session_transaction() as sess:
data = {
"key": 'flag',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 200
solve_count = app.db.session.query(app.db.func.count(Solves.id)).first()[0]
assert solve_count == 1
destroy_ctfd(app)
126 changes: 125 additions & 1 deletion tests/test_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

from tests.helpers import *
from CTFd.models import ip2long, long2ip
from CTFd.utils import get_config, set_config, override_template, sendmail, verify_email
from CTFd.utils import get_config, set_config, override_template, sendmail, verify_email, ctf_started, ctf_ended
from CTFd.utils import base64encode, base64decode
from freezegun import freeze_time
from mock import patch
Expand Down Expand Up @@ -169,3 +169,127 @@ def test_verify_email(mock_smtp):
# For now just assert that sendmail was called.
mock_smtp.return_value.sendmail.assert_called_with(from_addr, [to_addr], email_msg.as_string())
destroy_ctfd(app)


def test_ctftime_prevents_accessing_challenges_before_ctf():
"""Test that the ctftime function prevents users from accessing challenges after the ctf"""
app = create_ctfd()
with app.app_context():
set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
flag = gen_flag(app.db, chal=chal.id, flag=u'flag')

with freeze_time("2017-10-3"):
client = login_as_user(app)
r = client.get('/chals')
assert r.status_code == 403

with client.session_transaction() as sess:
data = {
"key": 'flag',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 403
solve_count = app.db.session.query(app.db.func.count(Solves.id)).first()[0]
assert solve_count == 0
destroy_ctfd(app)


def test_ctftime_allows_accessing_challenges_during_ctf():
"""Test that the ctftime function allows accessing challenges during the ctf"""
app = create_ctfd()
with app.app_context():
set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
flag = gen_flag(app.db, chal=chal.id, flag=u'flag')

with freeze_time("2017-10-5"):
client = login_as_user(app)
r = client.get('/chals')
assert r.status_code == 200

with client.session_transaction() as sess:
data = {
"key": 'flag',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 200
solve_count = app.db.session.query(app.db.func.count(Solves.id)).first()[0]
assert solve_count == 1
destroy_ctfd(app)


def test_ctftime_prevents_accessing_challenges_after_ctf():
"""Test that the ctftime function prevents accessing challenges after the ctf"""
app = create_ctfd()
with app.app_context():
set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST
register_user(app)
chal = gen_challenge(app.db)
chal_id = chal.id
flag = gen_flag(app.db, chal=chal.id, flag=u'flag')

with freeze_time("2017-10-7"):
client = login_as_user(app)
r = client.get('/chals')
assert r.status_code == 403

with client.session_transaction() as sess:
data = {
"key": 'flag',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal_id), data=data)
assert r.status_code == 403
solve_count = app.db.session.query(app.db.func.count(Solves.id)).first()[0]
assert solve_count == 0
destroy_ctfd(app)


def test_ctf_started():
'''Tests that the ctf_started function returns the correct value'''
app = create_ctfd()
with app.app_context():
assert ctf_started() == True

set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST

with freeze_time("2017-10-3"):
assert ctf_started() == False

with freeze_time("2017-10-5"):
assert ctf_started() == True

with freeze_time("2017-10-7"):
assert ctf_started() == True
destroy_ctfd(app)


def test_ctf_ended():
'''Tests that the ctf_ended function returns the correct value'''
app = create_ctfd()
with app.app_context():
assert ctf_ended() == False

set_config('start', '1507089600') # Wednesday, October 4, 2017 12:00:00 AM GMT-04:00 DST
set_config('end', '1507262400') # Friday, October 6, 2017 12:00:00 AM GMT-04:00 DST

with freeze_time("2017-10-3"):
assert ctf_ended() == False

with freeze_time("2017-10-5"):
assert ctf_ended() == False

with freeze_time("2017-10-7"):
assert ctf_ended() == True
destroy_ctfd(app)
Empty file added tests/user/__init__.py
Empty file.
Loading

0 comments on commit 6f60ddd

Please sign in to comment.