Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardening suggestions for pygoat / pixeebot/drip-2024-07-21-pixee-python/url-sandbox #15

Open
wants to merge 4 commits into
base: pixeebot/drip-2024-07-21-pixee-python/url-sandbox
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions introduction/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,14 @@
import logging
import os
import pickle
import random
import re
import string
import subprocess
import uuid
from dataclasses import dataclass
from hashlib import md5
from io import BytesIO
from random import randint
from xml.dom.pulldom import START_ELEMENT, parseString
from xml.sax import make_parser
from xml.dom.pulldom import START_ELEMENT
from xml.sax.handler import feature_external_ges

import jwt
Expand All @@ -32,7 +29,10 @@
from .models import (FAANG, AF_admin, AF_session_id, Blogs, CF_user, authLogin,
comments, login, otp, sql_lab_table, tickits)
from .utility import customHash, filter_blog
from security import safe_requests
from security import safe_command, safe_requests
import secrets
import defusedxml.pulldom
import defusedxml.sax

#*****************************************Lab Requirements****************************************************#

Expand Down Expand Up @@ -244,9 +244,9 @@ def xxe_see(request):
@csrf_exempt
def xxe_parse(request):

parser = make_parser()
parser = defusedxml.sax.make_parser()
parser.setFeature(feature_external_ges, True)
doc = parseString(request.body.decode('utf-8'), parser=parser)
doc = defusedxml.pulldom.parseString(request.body.decode('utf-8'), parser=parser)
for event, node in doc:
if event == START_ELEMENT and node.tagName == 'text':
doc.expandNode(node)
Expand Down Expand Up @@ -415,8 +415,7 @@ def cmd_lab(request):

try:
# output=subprocess.check_output(command,shell=True,encoding="UTF-8")
process = subprocess.Popen(
command,
process = safe_command.run(subprocess.Popen, command,
shell=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
Expand Down Expand Up @@ -481,7 +480,7 @@ def login_otp(request):
def Otp(request):
if request.method=="GET":
email=request.GET.get('email')
otpN=randint(100,999)
otpN=secrets.SystemRandom().randint(100,999)
if email and otpN:
if email=="[email protected]":
otp.objects.filter(id=2).update(otp=otpN)
Expand Down Expand Up @@ -545,7 +544,7 @@ def a9_lab(request):
try :
file=request.FILES["file"]
try :
data = yaml.load(file,yaml.Loader)
data = yaml.load(file,yaml.SafeLoader)

return render(request,"Lab/A9/a9_lab.html",{"data":data})
except:
Expand Down Expand Up @@ -665,7 +664,7 @@ def a10_lab2(request):
#*********************************************************A11*************************************************#

def gentckt():
return (''.join(random.choices(string.ascii_uppercase + string.ascii_lowercase, k=10)))
return (''.join(secrets.SystemRandom().choices(string.ascii_uppercase + string.ascii_lowercase, k=10)))

def insec_desgine(request):
if request.user.is_authenticated:
Expand Down