From 6f4a520241c7c0f372f16c8b68524cf0dbbb27a5 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@nyu.edu>
Date: Sat, 28 Oct 2017 13:31:34 -0400
Subject: [PATCH] Hidden challenges now return 404 and can't be solved (#432)

* Hidden challenges now return 404 and can't be solved
---
 CTFd/challenges.py            |  2 ++
 tests/helpers.py              |  4 +++-
 tests/user/test_challenges.py | 24 ++++++++++++++++++++++++
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/CTFd/challenges.py b/CTFd/challenges.py
index 20cb121..e27f374 100644
--- a/CTFd/challenges.py
+++ b/CTFd/challenges.py
@@ -306,6 +306,8 @@ def chal(chalid):
         print("[{0}] {1} submitted {2} with kpm {3}".format(*data))
 
         chal = Challenges.query.filter_by(id=chalid).first_or_404()
+        if chal.hidden:
+            abort(404)
         chal_class = get_chal_class(chal.type)
 
         # Anti-bruteforce / submitting keys too quickly
diff --git a/tests/helpers.py b/tests/helpers.py
index c3a00ee..e614363 100644
--- a/tests/helpers.py
+++ b/tests/helpers.py
@@ -84,8 +84,10 @@ def get_scores(user):
     return scores['standings']
 
 
-def gen_challenge(db, name='chal_name', description='chal_description', value=100, category='chal_category', type='standard'):
+def gen_challenge(db, name='chal_name', description='chal_description', value=100, category='chal_category', type='standard', hidden=False):
     chal = Challenges(name, description, value, category)
+    if hidden:
+        chal.hidden = hidden
     db.session.add(chal)
     db.session.commit()
     return chal
diff --git a/tests/user/test_challenges.py b/tests/user/test_challenges.py
index a7b5e36..7c96ba5 100644
--- a/tests/user/test_challenges.py
+++ b/tests/user/test_challenges.py
@@ -349,3 +349,27 @@ def test_that_view_challenges_unregistered_works():
         data = json.loads(data)
         assert data['status'] == -1
     destroy_ctfd(app)
+
+
+def test_hidden_challenge_is_unsolveable():
+    """Test that hidden challenges return 404 and do not insert a solve or wrong key"""
+    app = create_ctfd()
+    with app.app_context():
+        register_user(app)
+        client = login_as_user(app)
+        chal = gen_challenge(app.db, hidden=True)
+        flag = gen_flag(app.db, chal=chal.id, flag='flag')
+        with client.session_transaction() as sess:
+            data = {
+                "key": 'flag',
+                "nonce": sess.get('nonce')
+            }
+        r = client.post('/chal/{}'.format(chal.id), data=data)
+        assert r.status_code == 404
+
+        solves = Solves.query.all()
+        assert len(solves) == 0
+
+        wrong_keys = WrongKeys.query.all()
+        assert len(wrong_keys) == 0
+    destroy_ctfd(app)