Hidden challenges now return 404 and can't be solved (#432)

* Hidden challenges now return 404 and can't be solved
selenium-screenshot-testing
Kevin Chung 2017-10-28 13:31:34 -04:00 committed by GitHub
parent b4f29e1450
commit 6f4a520241
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 1 deletions

View File

@ -306,6 +306,8 @@ def chal(chalid):
print("[{0}] {1} submitted {2} with kpm {3}".format(*data)) print("[{0}] {1} submitted {2} with kpm {3}".format(*data))
chal = Challenges.query.filter_by(id=chalid).first_or_404() chal = Challenges.query.filter_by(id=chalid).first_or_404()
if chal.hidden:
abort(404)
chal_class = get_chal_class(chal.type) chal_class = get_chal_class(chal.type)
# Anti-bruteforce / submitting keys too quickly # Anti-bruteforce / submitting keys too quickly

View File

@ -84,8 +84,10 @@ def get_scores(user):
return scores['standings'] return scores['standings']
def gen_challenge(db, name='chal_name', description='chal_description', value=100, category='chal_category', type='standard'): def gen_challenge(db, name='chal_name', description='chal_description', value=100, category='chal_category', type='standard', hidden=False):
chal = Challenges(name, description, value, category) chal = Challenges(name, description, value, category)
if hidden:
chal.hidden = hidden
db.session.add(chal) db.session.add(chal)
db.session.commit() db.session.commit()
return chal return chal

View File

@ -349,3 +349,27 @@ def test_that_view_challenges_unregistered_works():
data = json.loads(data) data = json.loads(data)
assert data['status'] == -1 assert data['status'] == -1
destroy_ctfd(app) destroy_ctfd(app)
def test_hidden_challenge_is_unsolveable():
"""Test that hidden challenges return 404 and do not insert a solve or wrong key"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app)
chal = gen_challenge(app.db, hidden=True)
flag = gen_flag(app.db, chal=chal.id, flag='flag')
with client.session_transaction() as sess:
data = {
"key": 'flag',
"nonce": sess.get('nonce')
}
r = client.post('/chal/{}'.format(chal.id), data=data)
assert r.status_code == 404
solves = Solves.query.all()
assert len(solves) == 0
wrong_keys = WrongKeys.query.all()
assert len(wrong_keys) == 0
destroy_ctfd(app)