Adjusted Github Actions test workflow and pre-commit checks

.github/workflows/test.yml

@@ -14,14 +14,32 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-python@v3
-    - uses: pre-commit/[email protected]
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v5
+        with:
+          python-version: '3.8'
+
+      - name: Install Poetry
+        uses: snok/install-poetry@v1
+        with:
+          virtualenvs-create: false
+          virtualenvs-in-project: false
+          installer-parallel: true
+
+      - name: Install dependencies
+        run: poetry install --no-interaction --no-root --with dev
 
+      - uses: pre-commit/[email protected]
+
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
-      - name: Start containers
-        run: ./start_app.sh
+      - uses: actions/checkout@v2
+
+      - name: Build docker images
+        run: docker-compose build
+
+      # Testing if environment can be created with Docker Compose
+      - name: Run tests
+        run: docker-compose run web pytest

.pre-commit-config.yaml

@@ -2,12 +2,12 @@ repos:
   - repo: https://github.com/PyCQA/autoflake
     rev: v2.3.1
     hooks:
-    -   id: autoflake
+      - id: autoflake
         name: autoflake
         entry: autoflake
-        language: python
         "types": [python]
         require_serial: true
+        language: python
         args:
           - "--remove-all-unused-imports"
           - "--remove-unused-variables"
@@ -30,7 +30,7 @@ repos:
     hooks:
       - id: pytest-check
         name: pytest-check
-        entry: pytest
+        entry: python3 -m pytest
         language: system
         pass_filenames: false
         always_run: true

app/apis/users/schemas.py

@@ -1,4 +1,3 @@
-
 from pydantic import BaseModel
 
 

app/game.py

@@ -162,7 +162,7 @@ def move_cursor_top(lines=1):
 
     if is_fixed:
         print_color_text(
-            f"Congratulations! You fixed the \"{vuln_name}\" vulnerability!",
+            f'Congratulations! You fixed the "{vuln_name}" vulnerability!',
             color=Fore.GREEN,
             end="\n",
         )
@@ -187,7 +187,7 @@ def move_cursor_top(lines=1):
                 move_cursor_top(2)
 
         print_color_text(
-            f"Congratulations! You fixed the \"{vuln_name}\" vulnerability!",
+            f'Congratulations! You fixed the "{vuln_name}" vulnerability!',
             color=Fore.GREEN,
             end="\n\n",
         )

app/main.py

@@ -1,4 +1,3 @@
-
 from apis.router import api_router
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware

app/tests/modules/admin/test_admin_service.py

@@ -1,4 +1,3 @@
-
 from db.models import User, UserRole
 
 

app/tests/modules/auth/test_auth_service.py

@@ -1,4 +1,3 @@
-
 from db.models import User, UserRole
 
 

app/tests/vulns/level_0_technology_details_exposed_via_http_header.py

@@ -6,20 +6,20 @@ def test_technology_details_exposed_via_http_header(anon_client):
         paid upfront and sent me only URL to the Chef's restaurant API.
 
         I spent a few minutes with the restaurant's API and already found
-        a vulnerability exposing utilised technology details in the HTTP 
+        a vulnerability exposing utilised technology details in the HTTP
         response in "/healthcheck" endpoint. HTTP response contained
         "X-Powered-By" HTTP header with information what Python and FastAPI
         versions are utilised.
-        I can use these pieces of information to search for exploits 
+        I can use these pieces of information to search for exploits
         online!
-        
+
         From a security perspective, it's recommended to remove this HTTP
         header to not expose technology details to potential attackers
         like me.
- 
+
     Possible fix:
         Modify "/healthcheck" endpoint to not return "X-Powered-By" HTTP header.
-        It can be achieved by removing the "response.headers" line 
+        It can be achieved by removing the "response.headers" line
         from "apis/healthcheck/service.py" file.
     """
 

app/tests/vulns/level_1_unrestricted_menu_item_deletion.py

@@ -7,7 +7,7 @@ def test_unrestricted_menu_item_deletion(test_db, customer_client):
         The previous vulnerability was just a low severity issue but
         allowed me to understand the application's technology better.
 
-        After several minutes with the app, I already found much more 
+        After several minutes with the app, I already found much more
         interesting vulnerability!
         It looks like Chef forgot to add authorisation checks to "/menu/{id}"
         API endpoint and anyone can use DELETE method to delete items
@@ -16,8 +16,8 @@ def test_unrestricted_menu_item_deletion(test_db, customer_client):
     Possible fix:
         Probably, it could be fixed in "delete_menu_item" function in
         "apis/menu/service.py" file by adding auth=Depends(...) with proper
-        roles checks. 
-        There is an example implementation of authorisation checks in 
+        roles checks.
+        There is an example implementation of authorisation checks in
         "update_menu_item" function.
     """
 

app/tests/vulns/level_5_remote_code_execution.py

@@ -1,6 +1,3 @@
-
-
-
 def test_rce(test_db, chef_client):
     """
     Note: