JohnHammond
/
CTFd
mirror of https://github.com/JohnHammond/CTFd.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

34 reduce auth restrictions (#474) 

* Disallow email-address team names & allow login with team name or email address
* Don't show password reset form if server isn't configured
* Add a message to contact admins instead of submit password reset form
* Add utils.check_email_format()
selenium-screenshot-testing
Kevin Chung 2017-11-21 22:20:31 -05:00 committed by GitHub
parent e10c8b103b
commit 7348515e6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 100 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CTFd/admin/teams.py
View File

@ -64,13 +64,16 @@ def admin_create_team():
elif Teams.query.filter(Teams.name == name).first():
errors.append('That name is taken')
if utils.check_email_format(name) is True:
errors.append('Team name cannot be an email address')
if not email:
errors.append('The team requires an email')
elif Teams.query.filter(Teams.email == email).first():
errors.append('That email is taken')
if email:
valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", email)
valid_email = utils.check_email_format(email)
if not valid_email:
errors.append("That email address is invalid")
@ -144,7 +147,7 @@ def admin_team(teamid):
errors = []
if email:
valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", email)
valid_email = utils.check_email_format(email)
if not valid_email:
errors.append("That email address is invalid")
@ -152,6 +155,9 @@ def admin_team(teamid):
if name_used and int(name_used.id) != int(teamid):
errors.append('That name is taken')
if utils.check_email_format(name) is True:
errors.append('Team name cannot be an email address')
email_used = Teams.query.filter(Teams.email == email).first()
if email_used and int(email_used.id) != int(teamid):
errors.append('That email is taken')

36
CTFd/auth.py
View File

@ -86,7 +86,7 @@ def reset_password(data=None):
except BadTimeSignature:
return render_template('reset_password.html', errors=['Your link has expired'])
except:
return render_template('reset_password.html', errors=['Your link appears broken, please try again.'])
return render_template('reset_password.html', errors=['Your link appears broken, please try again'])
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
db.session.commit()
@ -101,8 +101,20 @@ def reset_password(data=None):
if request.method == 'POST':
email = request.form['email'].strip()
team = Teams.query.filter_by(email=email).first()
errors = []
if utils.can_send_mail() is False:
return render_template(
'reset_password.html',
errors=['Email could not be sent due to server misconfiguration']
)
if not team:
return render_template('reset_password.html', errors=['If that account exists you will receive an email, please check your inbox'])
return render_template(
'reset_password.html',
errors=['If that account exists you will receive an email, please check your inbox']
)
s = TimedSerializer(app.config['SECRET_KEY'])
token = s.dumps(team.name)
text = """
@ -114,7 +126,10 @@ Did you initiate a password reset?
utils.sendmail(email, text)
return render_template('reset_password.html', errors=['If that account exists you will receive an email, please check your inbox'])
return render_template(
'reset_password.html',
errors=['If that account exists you will receive an email, please check your inbox']
)
return render_template('reset_password.html')
@ -134,12 +149,15 @@ def register():
emails = Teams.query.add_columns('email', 'id').filter_by(email=email).first()
pass_short = len(password) == 0
pass_long = len(password) > 128
valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", request.form['email'])
valid_email = utils.check_email_format(request.form['email'])
team_name_email_check = utils.check_email_format(name)
if not valid_email:
errors.append("That email doesn't look right")
errors.append("Please enter a valid email address")
if names:
errors.append('That team name is already taken')
if team_name_email_check is True:
errors.append('Your team name cannot be an email address')
if emails:
errors.append('That email has already been used')
if pass_short:
@ -196,7 +214,13 @@ def login():
if request.method == 'POST':
errors = []
name = request.form['name']
team = Teams.query.filter_by(name=name).first()
# Check if the user submitted an email address or a team name
if utils.check_email_format(name) is True:
team = Teams.query.filter_by(email=name).first()
else:
team = Teams.query.filter_by(name=name).first()
if team:
if team and bcrypt_sha256.verify(request.form['password'], team.password):
try:

2
CTFd/themes/original/templates/login.html
View File

@ -36,7 +36,7 @@
<span class="input">
<input class="input-field" type="text" name="name" id="name-input" />
<label class="input-label" for="name-input">
<span class="label-content">Team Name</span>
<span class="label-content">Team Name or Email</span>
</label>
</span>
</div>

10
CTFd/themes/original/templates/reset_password.html
View File

@ -19,6 +19,7 @@
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button>
</div>
{% endfor %}
{% if can_send_mail() %}
<form method="post" accept-charset="utf-8" autocomplete="off" role="form" class="form-horizontal">
<input name='nonce' type='hidden' value="{{ nonce }}">
{% if mode %}
@ -49,6 +50,15 @@
</div>
</div>
</form>
{% else %}
<div class="row">
<div class="col-md-12">
<h3 class="text-center">Contact a CTF organizer</h3>
<p>This CTF is not configured to send email.</p>
<p>Please contact an organizer to have your password reset</p>
</div>
</div>
{% endif %}
</div>
</div>
</div>

4
CTFd/utils.py
View File

@ -621,6 +621,10 @@ def validate_url(url):
return urlparse(url).scheme.startswith('http')
def check_email_format(email):
return bool(re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", email))
def sha512(string):
return hashlib.sha512(string).hexdigest()

5
CTFd/views.py
View File

@ -220,7 +220,10 @@ def profile():
name_len = len(request.form['name']) == 0
emails = Teams.query.filter_by(email=email).first()
valid_email = re.match(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)", email)
valid_email = utils.check_email_format(email)
if utils.check_email_format(name) is True:
errors.append('Team name cannot be an email address')
if ('password' in request.form.keys() and not len(request.form['password']) == 0) and \
(not bcrypt_sha256.verify(request.form.get('confirm').strip(), user.password)):

21
tests/test_utils.py
View File

@ -6,6 +6,7 @@ from CTFd.models import ip2long, long2ip
from CTFd.utils import get_config, set_config, override_template, sendmail, verify_email, ctf_started, ctf_ended, export_ctf
from CTFd.utils import register_plugin_script, register_plugin_stylesheet
from CTFd.utils import base64encode, base64decode
from CTFd.utils import check_email_format
from freezegun import freeze_time
from mock import patch
import json
@ -349,3 +350,23 @@ def test_export_ctf():
with open('export.zip', 'wb') as f:
f.write(backup.getvalue())
destroy_ctfd(app)
def test_check_email_format():
"""Test that the check_email_format() works properly"""
assert check_email_format('user@ctfd.io') is True
assert check_email_format('user+plus@gmail.com') is True
assert check_email_format('user.period1234@gmail.com') is True
assert check_email_format('user.period1234@b.c') is True
assert check_email_format('user.period1234@b') is False
assert check_email_format('no.ampersand') is False
assert check_email_format('user@') is False
assert check_email_format('@ctfd.io') is False
assert check_email_format('user.io@ctfd') is False
assert check_email_format('user\@ctfd') is False
for invalid_email in ['user.@ctfd.io', '.user@ctfd.io', 'user@ctfd..io']:
try:
assert check_email_format(invalid_email) is False
except AssertionError:
print(invalid_email, 'did not pass validation')

22
tests/user/test_user_facing.py
View File

@ -40,6 +40,16 @@ def test_register_unicode_user():
destroy_ctfd(app)
def test_register_email_as_team_name():
"""A user shouldn't be able to use an email address as a team name"""
app = create_ctfd()
with app.app_context():
register_user(app, name="user@ctfd.io", email="user@ctfd.io", password="password")
team_count = app.db.session.query(app.db.func.count(Teams.id)).first()[0]
assert team_count == 1 # There's only the admin user
destroy_ctfd(app)
def test_register_duplicate_teamname():
"""A user shouldn't be able to use an already registered team name"""
app = create_ctfd()
@ -85,6 +95,18 @@ def test_user_login():
destroy_ctfd(app)
def test_user_login_with_email():
"""Can a registered user can login with an email address instead of a team name"""
app = create_ctfd()
with app.app_context():
register_user(app)
client = login_as_user(app, name="user@ctfd.io", password="password")
r = client.get('/profile')
assert r.location != "http://localhost/login" # We didn't get redirected to login
assert r.status_code == 200
destroy_ctfd(app)
def test_user_isnt_admin():
"""A registered user cannot access admin pages"""
app = create_ctfd()