From 9466d4a741f127485e61df475ae26428b6a6768b Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 02:09:36 +0000 Subject: [PATCH 1/4] Sandbox Process Creation --- introduction/views.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/introduction/views.py b/introduction/views.py index b6dd199..b1fbf32 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -32,7 +32,7 @@ from .models import (FAANG, AF_admin, AF_session_id, Blogs, CF_user, authLogin, comments, login, otp, sql_lab_table, tickits) from .utility import customHash, filter_blog -from security import safe_requests +from security import safe_command, safe_requests #*****************************************Lab Requirements****************************************************# @@ -415,8 +415,7 @@ def cmd_lab(request): try: # output=subprocess.check_output(command,shell=True,encoding="UTF-8") - process = subprocess.Popen( - command, + process = safe_command.run(subprocess.Popen, command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) From d6107aa9312e68604aa1104c7131e1cd189a54ff Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 02:09:37 +0000 Subject: [PATCH 2/4] Secure Source of Randomness --- introduction/views.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/introduction/views.py b/introduction/views.py index b1fbf32..6d273f7 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -4,7 +4,6 @@ import logging import os import pickle -import random import re import string import subprocess @@ -12,7 +11,6 @@ from dataclasses import dataclass from hashlib import md5 from io import BytesIO -from random import randint from xml.dom.pulldom import START_ELEMENT, parseString from xml.sax import make_parser from xml.sax.handler import feature_external_ges @@ -33,6 +31,7 @@ comments, login, otp, sql_lab_table, tickits) from .utility import customHash, filter_blog from security import safe_command, safe_requests +import secrets #*****************************************Lab Requirements****************************************************# @@ -480,7 +479,7 @@ def login_otp(request): def Otp(request): if request.method=="GET": email=request.GET.get('email') - otpN=randint(100,999) + otpN=secrets.SystemRandom().randint(100,999) if email and otpN: if email=="admin@pygoat.com": otp.objects.filter(id=2).update(otp=otpN) @@ -664,7 +663,7 @@ def a10_lab2(request): #*********************************************************A11*************************************************# def gentckt(): - return (''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase, k=10))) + return (''.join(secrets.SystemRandom().choices(string.ascii_uppercase + string.ascii_lowercase, k=10))) def insec_desgine(request): if request.user.is_authenticated: From 5c7c53c8001f004e54d890bf68c6a76c57a89213 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 02:09:37 +0000 Subject: [PATCH 3/4] Use `defusedxml` for Parsing XML --- introduction/views.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/introduction/views.py b/introduction/views.py index 6d273f7..a5c8858 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -11,8 +11,7 @@ from dataclasses import dataclass from hashlib import md5 from io import BytesIO -from xml.dom.pulldom import START_ELEMENT, parseString -from xml.sax import make_parser +from xml.dom.pulldom import START_ELEMENT from xml.sax.handler import feature_external_ges import jwt @@ -32,6 +31,8 @@ from .utility import customHash, filter_blog from security import safe_command, safe_requests import secrets +import defusedxml.pulldom +import defusedxml.sax #*****************************************Lab Requirements****************************************************# @@ -243,9 +244,9 @@ def xxe_see(request): @csrf_exempt def xxe_parse(request): - parser = make_parser() + parser = defusedxml.sax.make_parser() parser.setFeature(feature_external_ges, True) - doc = parseString(request.body.decode('utf-8'), parser=parser) + doc = defusedxml.pulldom.parseString(request.body.decode('utf-8'), parser=parser) for event, node in doc: if event == START_ELEMENT and node.tagName == 'text': doc.expandNode(node) From 31f9a016cec58bc6d1423e4c374f3a2ee6d8e571 Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 02:09:38 +0000 Subject: [PATCH 4/4] Replace unsafe `pyyaml` loader with `SafeLoader` --- introduction/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/introduction/views.py b/introduction/views.py index a5c8858..c2eb17b 100644 --- a/introduction/views.py +++ b/introduction/views.py @@ -544,7 +544,7 @@ def a9_lab(request): try : file=request.FILES["file"] try : - data = yaml.load(file,yaml.Loader) + data = yaml.load(file,yaml.SafeLoader) return render(request,"Lab/A9/a9_lab.html",{"data":data}) except: