Commit Graph

863 Commits (2cfc89d4c27ca66983a22877bbb53d4e3e20fbcc)

Author SHA1 Message Date
Kevin Chung 309e62520e
Fix dynamic challenge hint loading (#1224)
* Fixes hint loading for dynamic challenges
2020-01-28 22:16:44 -05:00
Kevin Chung d59bfa3578
Mark 2.2.3 (#1222)
2.2.3 / 2020-01-21
==================

### This release includes a critical security fix for CTFd versions >= 2.0.0

All CTFd administrators are recommended to take the following steps:
1. Upgrade their installations to the latest version
2. Rotate the `SECRET_KEY` value
3. Reset the passwords for all administrator users

**Security**
* This release includes a fix for a vulnerability allowing an arbitrary user to take over other accounts given their username and a CTFd instance with emails enabled

**General**
* Users will receive an email notification when their passwords are reset
* Fixed an error when users provided incorrect team join information
2020-01-21 00:06:03 -05:00
Kevin Chung a2551db690
Add a password change notification email (#1221)
* Adds an email notification for password resets
2020-01-20 23:05:44 -05:00
Kevin Chung 60c46af58a
Sign sessions using SECRET_KEY to simplify revocation (#1219)
* Sign sessions using `SECRET_KEY`
* Add `CTFd.utils.security.signing.sign` and `CTFd.utils.security.signing.unsign`
2020-01-20 21:53:08 -05:00
Kevin Chung 83efc4d5eb
Fix error with invalid team information and team size limits (#1220)
* Fix error when joining teams with a size limit
2020-01-20 20:34:11 -05:00
Kevin Chung f660ed1fb7
Strip spaces on registration and have reset password use email address instead of names (#1218)
* Usernames are now properly stripped before being used in registration checks
* Reset password function now uses email addresses instead of user names for tokens
* Prevent MLC users from resetting their password
2020-01-20 14:22:06 -05:00
Kevin Chung fe85fdf1e5
Mark 2.2.2 (#1212)
2.2.2 / 2020-01-09
==================

**General**
* Add jQuery, Moment, nunjucks, and Howl to window globals to make it easier for plugins to access JS modules
* Fix issue with timezone loading in config page which was preventing display of CTF times
2020-01-09 20:32:50 -05:00
Kevin Chung d37805b6fe
Fix timezone loading in time config page (#1211)
* Fix an issue where CTF times could not be displayed in the admin panel because timezones weren't available
2020-01-09 18:41:41 -05:00
Kevin Chung d30bd182d2
Add jQuery, Moment, nunjucks, and Howl to window globals (#1209)
* Add jQuery, Moment, nunjucks, and Howl to window globals
2020-01-08 18:06:15 -05:00
Kevin Chung dc492c97af
Mark 2.2.1 (#1208)
2.2.1 / 2020-01-04
==================

**General**
* Fix issue preventing admins from creating users or teams
* Fix issue importing backups that contained empty directories
2020-01-04 01:20:50 -05:00
fengkx 7ff6163309 fix: fix import uploads (#1173)
* Fixes issue with importing backups that contain invalid empty directories
2020-01-03 23:56:12 -05:00
Kevin Chung 5b65a6ced0
Remove CTFd Slack references in README to reference MLC Discourse (#1204)
* Replace references to the CTFd Slack with MLC Discourse references
2020-01-03 23:07:46 -05:00
Kevin Chung d5128c2fa4
Seperate out admin theme from core more to fix #1200 (#1202)
* Separate out admin theme from core more to fix #1200
2020-01-03 22:18:05 -05:00
Kevin Chung b8d0f80d01
2.2.0 (#1188)
2.2.0 / 2019-12-22
==================

## Notice
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with ***any*** kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0. 

**General**
* Team size limits can now be enforced from the configuration panel
* Access tokens functionality for API usage
* Admins can now choose how to deliver their notifications
    * Toast (new default)
    * Alert
    * Background
    * Sound On / Sound Off
* There is now a notification counter showing how many unread notifications were received
* Setup has been redesigned to have multiple steps
    * Added Description
    * Added Start time and End time,
    * Added MajorLeagueCyber integration
    * Added Theme and color selection
* Fixes issue where updating dynamic challenges could change the value to an incorrect value
* Properly use a less restrictive regex to validate email addresses
* Bump Python dependencies to latest working versions
* Admins can now give awards to team members from the team's admin panel page

**API**
* Team member removals (`DELETE /api/v1/teams/[team_id]/members`) from the admin panel will now delete the removed members's Submissions, Awards, Unlocks

**Admin Panel**
* Admins can now user a color input box to specify a theme color which is injected as part of the CSS configuration. Theme developers can use this CSS value to change colors and styles accordingly.
* Challenge updates will now alert you if the challenge doesn't have a flag
* Challenge entry now allows you to upload files and enter simple flags from the initial challenge creation page

**Themes**
* Significant JavaScript and CSS rewrite to use ES6, Webpack, yarn, and babel
* Theme asset specially generated URLs
    * Static theme assets are now loaded with either .dev.extension or .min.extension depending on production or development (i.e. debug server)
    * Static theme assets are also given a `d` GET parameter that changes per server start. Used to bust browser caches.
* Use `defer` for script tags to not block page rendering
* Only show the MajorLeagueCyber button if configured in configuration
* The admin panel now links to https://help.ctfd.io/ in the top right
* Create an `ezToast()` function to use [Bootstrap's toasts](https://getbootstrap.com/docs/4.3/components/toasts/)
* The user-facing navbar now features icons
* Awards shown on a user's profile can now have award icons
* The default MarkdownIt render created by CTFd will now open links in new tabs
* Country flags can now be shown on the user pages

**Deployment**
* Switch `Dockerfile` from `python:2.7-alpine` to `python:3.7-alpine`
* Add `SERVER_SENT_EVENTS` config value to control whether Notifications are enabled
* Challenge ID is now recorded in the submission log

**Plugins**
* Add an endpoint parameter to `register_plugin_assets_directory()` and `register_plugin_asset()` to control what endpoint Flask uses for the added route

**Miscellaneous**
* `CTFd.utils.email.sendmail()` now allows the caller to specify subject as an argument
    * The subject allows for injecting custom variable via the new `CTFd.utils.formatters.safe_format()` function
* Admin user information is now error checked during setup
* Added yarn to the toolchain and the yarn dev, yarn build, yarn verify, and yarn clean scripts
* Prevent old CTFd imports from being imported
2019-12-22 23:17:34 -05:00
Christian Clauss 6d192a7c14 Fix NameError in 1_2_0_upgrade_2_0_0.py
Fixes a NameError in `1_2_0_upgrade_2_0_0.py`
2019-12-19 21:26:19 -05:00
Dave 97f5dcaf8c Strip password before length check (#1155)
* Strip password before length check
* Pin black to an older version
2019-11-05 23:25:39 -05:00
Kevin Chung 6c5c63d667
Don't redirect the /events endpoint to login (#1132)
* Detect `text/event-stream` in `authed_only` to prevent unnecessary redirects to `/login`
2019-10-11 23:18:44 -07:00
Kevin Chung a9b2fe15e3
Mark 2.1.5 (#1126)
2.1.5 / 2019-10-2
=================

**General**
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
* Avoid exception on sessions without a valid user and force logout
* Fix several issues in Vagrant provisioning

**API**
* Prevent users from nulling out profile values and breaking certain pages
2019-10-02 02:25:30 -04:00
Kevin Chung b15f1787e4
Prevent users from nulling out profile values (#1125)
* Prevent users from nulling out profile values
2019-10-02 01:22:54 -04:00
Kevin Chung b8c1970b8e
Fix CSV exports in Python 3 by converting StringIO to BytesIO (#1107)
* Fix CSV exports in Python 3 by converting StringIO to BytesIO
2019-09-10 03:22:01 -04:00
Kevin Chung 607c517d28
Avoid exception on session without a valid user and force logout (#1106)
* Avoid exception on sessions without a valid user and force logout
2019-09-09 21:18:07 -04:00
Joshua Dugie cee6fe3593 Fix several issues in Vagrant provisioning (#1046)
* Fixes to Vagrantfile
2019-09-08 13:04:48 -04:00
Kevin Chung 7a7595cf03
Fix flask run by not monkey patching for gevent in wsgi.py (#1101)
* Fixes `flask run` debug server by not monkey patching in `wsgi.py`
* Closes #1099
2019-09-05 19:50:52 -04:00
Kevin Chung 3b1b82b9a0
Mark 2.1.4 (#1096)
2.1.4 / 2019-08-30
==================

**General**
* Make user pages show the team's score and place information instead of the user's information if in team mode
* Allow admins to search users by IP address
* Require password for email address changes in the user profile
* The place indicator in `Teams Mode` on the team pages and user pages now correctly excludes hidden teams
* Fix scoreboard place ordinalization in Python 3
* Fix for a crash where imports will fail on SQLite due to lack of ALTER command support
* Fix for an issue where files downloaded via S3 would have the folder name in the filename
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank/place
* Properly redirect users or 403 if the endpoint requires a team but the user isn't in one
* Show affiliation in user and team pages in the admin panel and public and private user and team pages

**Themes**
* Remove invalid `id='submit'` on submit buttons in various theme files
* Set `tabindex` to 0 since we don't really care for forcing tab order
* Rename `statistics.js` to `graphs.js` in the Admin Panel as it was identified that adblockers can sometimes block the file

**API**
* The team profile endpoint (`/api/v1/teams/me`) will now return 403 instead of 400 if the requesting user is not the captain
* The Challenge API will now properly freeze the solve count to freeze time
2019-08-31 14:45:08 -04:00
Kevin Chung c88e0556eb
1092 fix solve count leak during freeze (#1095)
* Challenges properly get solve count during freeze time
* Closes #1092
2019-08-29 23:22:24 -04:00
MartinJM 941ca8f506 The place indicator on the team page now excludes counting hidden teams (#1094)
* The place indicator in Team Mode on the team pages and user pages now excludes counting hidden teams.
* Updated `flask-marshmallow` to 0.10.1, `marshmallow-sqlalchemy` to 0.17.0 
* Pinned `marshmallow` to 2.20.2
* Closes #1093
* Closes #1088
2019-08-29 22:04:05 -04:00
Kevin Chung 75a9a5a697
Rename statistics.js to graphs.js (#1086)
* Rename `statistics.js` to `graphs.js` in the admin panel to avoid getting blocked by ad blockers
2019-08-17 20:06:22 -04:00
Kevin Chung bef5f1796b
Fix broken buttons by not hijacking click event without data-href attribute (#1081)
* Fix broken buttons by not hijacking click event without `data-href` attribute
2019-08-09 00:35:29 -04:00
Kevin Chung 5c4f1d78fa
Remove invalid id='submit' on submit buttons and correctly set tabindex to 0 (#1080)
* Remove invalid id='submit' on submit buttons
* Set `tabindex` to 0 since we don't really care for forcing tab order.
2019-08-08 18:27:44 -04:00
Kevin Chung 71240bb13d
Require password for email change (#1077)
* Require password for email changes
2019-08-04 20:28:20 -04:00
Kevin Chung 3453eafcab
Flaky redis events tests (#1072)
* Fix flaky redis tests
* Add a random integer helper for tests
2019-07-30 03:25:29 -04:00
Sachin S. Kamath 34bab12a99 Add feature to search users by IP address (#1059)
* Allows admins to search users by IP address
* Closes #1054
2019-07-30 01:09:41 -04:00
Kevin Chung cf7959ab16
Attempt to fix randomly failing tests (#1071)
* Fix flaky tests that require redis which were occasionally failing
2019-07-29 23:15:26 -04:00
Kevin Chung 2bdf7b64d6
Fix place ordinal calculation (#1067)
* Fix scoreboard place ordinalization in Python 3
* Extract ordinalization code to `CTFd.utils.humanize.numbers.ordinalize`.
2019-07-24 01:44:20 -04:00
Kevin Chung f2e0b9e8b5
Add argparse to populate.py and fix some lints (#1064)
* Make `populate.py` configurable from command line
2019-07-21 15:08:37 -04:00
Kevin Chung bf05b30d56
Don't reuse used oauth_ids in populate.py (#1062)
* Fix `populate.py` from using an `oauth_id` twice.
2019-07-16 21:52:39 -04:00
Kevin Chung 1c9e36fa8f
Show affiliation in user and team pages in the admin panel (#1037)
* Show affiliation in user and team pages in the admin panel and public and private user and team pages. 
* Make user pages show team information (score, place) instead of user information if in team mode. 
* Make `Users.get_place()` and `Teams.get_place()` for return None instead of 0 if the account has no rank. (Closes #1039)
* Make `populate.py` randomly add affiliations and officials
2019-07-12 07:14:08 -04:00
Kevin Chung b453125726
Fix missing Team API exceptions (#1058)
* Add require_team decorator to endpoints that request teams.
* Change status code for captain endpoints to return 403 instead of 400
2019-07-12 00:53:35 -04:00
Kevin Chung f033f16490
Fix S3 file downloads to not contain the folder name (#1056)
* Fixes a bug in S3 downloads where a downloaded file would have its parent folder name in the filename
2019-07-11 17:04:32 -04:00
Kevin Chung 9b07f4ecf9
Revert "Switch Dockerfile from python:2.7-alpine to python:3.7-alpine (#1055)" (#1057)
This reverts commit 7eff04dc4c.
2019-07-10 22:58:38 -04:00
Kevin Chung 7eff04dc4c
Switch Dockerfile from python:2.7-alpine to python:3.7-alpine (#1055) 2019-07-10 01:16:23 -04:00
Sachin S. Kamath 93170e4a9d Fixed minor error in plugin doc (#1053)
Signed-off-by: Sachin Kamath <sskamath96@gmail.com>
2019-07-08 00:18:49 -04:00
Kevin Chung 56342bedc5
Minor docs fix (#1050)
* Rework scoring formats section
2019-07-04 13:49:16 -04:00
Kevin Chung 78fee9667a
Docs scoring page (#1049)
* Bump docs version to 2.1.3.
* Add documentation on scoreboard integrations. 
* Add logo to documentation.
2019-07-04 12:11:10 -04:00
Kevin Chung 8b3bb92c9d
Only add team_captain_id foreign key if the db backend isn't SQLite (#1048)
* Only add `teams.team_captain_id` foreign key if the db backend isn't SQLite. SQLite does not support ALTER for the manipulation of columns/constraints. 
* Closes #1041
2019-07-03 00:04:50 -04:00
Kevin Chung 03058716a0
Add a Content-Disposition header to s3 downloads (#1047)
* Add a Content-Disposition header to s3 downloads so `wget` doesn't generate long invalid filenames.
2019-06-30 12:02:52 -04:00
Kevin Chung 2bca60790d
Mark 2.1.3 (#1036)
2.1.3 / 2019-06-22
==================

**General**
* Fix issue with downloading files after CTF end when `view_after_ctf` is enabled
* Sort solves in admin challenge view by date
* Link to appropriate user and challenge in team, user, and challenge pages
* Redirect to `/team` instead of `/challenges` after a user registers in team mode
* Fixes bug where pages marked as `hidden` weren't loading
* Remove `data-href` from `pages.html` in the Admin Panel to fix the delete button
* Add UI to handle team member removal in Admin Panel
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode.
* `utils._get_config` will now return `KeyError` instead of `None` to avoid cache misses

**Deployment**
* Use `/dev/shm` for `--worker-tmp-dir` in gunicorn in Docker
* Cache `get_place` code for users and teams.
* Install `Flask-DebugToolbar` in development
* Cache the `/scoreboard` page to avoid having to rebuild the response so often
* Make unprivileged `ctfd` user usable for mysql connection in docker-compose by having the db image create the database instead of CTFd
* Fix bug causing apache2 + mod_wsgi deployments to break

**API**
* Change `/api/v1/teams/[team_id]/members` from taking `id` to `user_id`.
    * Endpoint was unused so the API change is considered non-breaking.
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
* Separate `/api/v1/[users,teams]/[me,id]/[solves,fails,awards]` into seperate API endpoints
* Clear standings cache after award creation/deletion

**Exports**
* Temporarily disable foreign keys in MySQL, MariaDB, and Postgres during `import_ctf()`
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export

**Tests**
* Fix score changing test helpers to clear standings cache when generating a score changing row
2019-06-22 20:07:01 -07:00
Kevin Chung 6eb0d1ea34
Clear standings on award creation and deletion (#1035)
* Clear standings on award creation and deletion
2019-06-22 19:02:27 -07:00
Kevin Chung 97f52756bc
Fix scoreboard links created by update() in user mode (#1034)
* Fixes account links on the scoreboard page created by `update()`. They now correctly point to the user instead of undefined when in user mode. 
* Add `account_type` and `account_url` field in `/api/v1/scoreboard`
2019-06-22 16:17:53 -07:00
Kevin Chung d8ca73ac18
Prevent browser from caching the export (#1033)
* Add `cache_timeout` parameter to `send_file`response in `/admin/export` to prevent the browser from caching the export
* Closes #1032
2019-06-22 13:36:45 -07:00