Merge branch 'adeyosemanputra:master' into insec_des_lab

Author: Garvita-k

.gitignore

@@ -7,7 +7,7 @@ venv
 *db.sqlite3*
 app.log
 bin
-
+*.env
 
 #  LOG files
 *.log

CHANGELOG.md

@@ -0,0 +1,125 @@
+# Pygoat v2.0.2 snapshot
+### 1.Added
+- **Custom Management Command:**  
+  Added the `populate_challenges` command that reads challenge data from `challenge/challenge.json` and populates the `Challenge` table using `get_or_create` to prevent duplicate entries. The command handles missing files and JSON decode errors gracefully.
+- Added `MIT License` to the project.
+
+### 2.Changed
+- **Challenge Model:**  
+  - Updated the `save()` method to raise a `ValidationError` if `start_port` is greater than `end_port`.
+  - Enhanced flag handling by hashing the `flag` field using SHA-256 (prefixed with "hashed_") if it hasn't been hashed already.
+
+---
+
+# Pygoat v2.0.1 Latest
+
+1. New themes  
+2. Bug fixing  
+
+---
+
+# PyGoat V2.0.0  
+
+PyGoat Release Version 2.0.0  
+
+* Whole new section for OWASP TOP 10 2021  
+    i. New lab on template injection  
+    ii. New 3 labs on cryptographic failure  
+    iii. 1 more lab on broken access control  
+    iv. 1 lab on Insecure Design  
+    v. 1 more lab on security misconfiguration  
+    vi. 1 new lab on using components with known vulnerability  
+    vii. 2 new labs on Identification and Authentication failure  
+    viii. 1 lab on software and data integrity failure and XXS  
+    ix. Some labs on Insufficient logging  
+    x. 2 new labs on SSRF  
+
+* Section for Code discussion for most of the sections of OWASP 2021  
+
+* Coding playground for SSRF  
+        i. Authentication failure  
+        ii. Insufficient logging  
+
+* Added new section for SANS 25 and MITRE 25  
+
+* Added new lab in SANS and MITRE 25 section  
+    i. Path traversal  
+    ii. Command injection  
+    iii. Code injection  
+    iv. CSRF  
+
+* New Dark theme and improved UI  
+
+* Better Docker file for smooth install  
+
+* Brand new Logo  
+
+---
+
+# v2.0  
+
+PyGoat Pre-Release Version 2.0  
+
+* Whole new section for OWASP TOP 10 2021  
+    i. New lab on template injection  
+    ii. New 3 labs on cryptographic failure  
+    iii. 1 more lab on broken access control  
+    iv. 1 lab on Insecure Design  
+    v. 1 more lab on security misconfiguration  
+    vi. 1 new lab on using components with known vulnerability  
+    vii. 2 new labs on Identification and Authentication failure  
+    viii. 1 lab on software and data integrity failure and XXS  
+    ix. Some labs on Insufficient logging  
+    x. 2 new labs on SSRF  
+
+* Section for Code discussion for most of the sections of OWASP 2021  
+
+* Coding playground for  
+    - SSRF  
+        i. Authentication failure  
+        ii. Insufficient logging  
+
+* Added new section for SANS 25 and MITRE 25  
+
+* Added new lab in SANS and MITRE 25 section  
+    i. Path traversal  
+    ii. Command injection  
+    iii. Code injection  
+    iv. CSRF  
+
+* New Dark theme and improved UI  
+
+* Better Docker file for smooth install  
+
+* Brand new Logo  
+
+---
+
+# Pygoat Gibraltar v1.2  
+
+i. Fix [#57](https://github.com/adeyosemanputra/pygoat/pull/57) Fix Path Error  
+ii. Fix [#55](https://github.com/adeyosemanputra/pygoat/pull/55) Added Google OAuth / Auth with Google  
+iii. Fix [#54](https://github.com/adeyosemanputra/pygoat/pull/54) Change Login  
+
+---
+
+# Pygoat Gibraltar v1.1  
+
+i. Added Authentication For LAB [#43](https://github.com/adeyosemanputra/pygoat/pull/43)  
+ii. Fix For A10 Insufficient Logging & Monitoring  
+
+---
+
+# Pygoat Gibraltar v1.0  
+
+Added vulns done:  
+i. A1:2017-Injection  
+ii. A2:2017-Broken Authentication  
+iii. A3:2017-Sensitive Data Exposure  
+iv. A4:2017-XML External Entities (XXE)  
+v. A5:2017-Broken Access Control  
+vi. A6:2017-Security Misconfiguration  
+vii. A7:2017-Cross-Site Scripting (XSS)  
+viii. A8:2017-Insecure Deserialization  
+ix. A9:2017-Using Components with Known Vulnerabilities  
+x. A10:2017-Insufficient Logging & Monitoring  

LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 pygoat
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

challenge/management/commands/populate_challenges.py

@@ -0,0 +1,44 @@
+import json
+import os
+from django.core.management.base import BaseCommand
+from challenge.models import Challenge
+
+class Command(BaseCommand):
+    help = (
+        "Reads challenge data from 'challenge/challenge.json' and populates the "
+        "Challenge table in the database. Uses get_or_create to prevent duplicates "
+        "and handles JSON errors gracefully."
+    )
+
+    def handle(self, *args, **options):
+        file_path = os.path.join('challenge', 'challenge.json')
+
+        try:
+            with open(file_path, 'r') as json_file:
+                challenges_data = json.load(json_file)
+        except FileNotFoundError:
+            self.stderr.write(self.style.ERROR(f"JSON file not found: {file_path}"))
+            return
+        except json.JSONDecodeError as e:
+            self.stderr.write(self.style.ERROR(f"Error decoding JSON: {e}"))
+            return
+
+        for item in challenges_data:
+            challenge, created = Challenge.objects.get_or_create(
+                name=item.get("name"),
+                defaults={
+                    "description": item.get("description", ""),
+                    "docker_image": item.get("docker_image", ""),
+                    "docker_port": item.get("docker_port", 0),
+                    "start_port": item.get("start_port", 0),
+                    "end_port": item.get("end_port", 0),
+                    "flag": item.get("flag", ""),
+                    "point": item.get("point", 0)
+                }
+            )
+            if created:
+                self.stdout.write(self.style.SUCCESS(f"Challenge '{challenge.name}' created."))
+            else:
+                self.stdout.write(f"Challenge '{challenge.name}' already exists.")
+
+        self.stdout.write(self.style.SUCCESS("Challenge data has been populated successfully."))

challenge/models.py

@@ -1,7 +1,8 @@
 from django.db import models
 from django.contrib.auth.models import User
+import hashlib # Import hashlib
+from django.core.exceptions import ValidationError  # Import ValidationError
 
-# Create your models here
 class Challenge(models.Model):
     id = models.AutoField(primary_key=True, unique=True)
     name = models.CharField(max_length=100, unique=True)
@@ -18,11 +19,13 @@ class Challenge(models.Model):
     def __str__(self):
         return self.name
 
-    # overwriting default save  method
+    # Overriding default save method
     def save(self, *args, **kwargs):
         if self.start_port > self.end_port:
-            raise Exception("Start port should be less than end port")
-        # Here flag need to be hashed
+            raise ValidationError("Start port should be less than end port") # Raise ValidationError if start_port is greater than end_port
+        if self.flag:
+            if not self.flag.startswith("hashed_"):
+                self.flag = "hashed_" + hashlib.sha256(self.flag.encode('utf-8')).hexdigest()
         super(Challenge, self).save(*args, **kwargs)
 
 class UserChallenge(models.Model):
@@ -40,7 +43,6 @@ class UserChallenge(models.Model):
     is_live = models.BooleanField(default=False)
     no_of_attempt = models.IntegerField(default=0)
     is_solved = models.BooleanField(default=False)
-    port = models.IntegerField()
 
     def __str__(self):
-        return f"{self.user.username} - {self.challenge.name}"
+        return f"{self.user.username} - {self.challenge.name}"

docker-compose.yml

@@ -1,29 +1,15 @@
-version: "3.3"
-
 services:
-  db:
-    image: postgres
-    volumes:
-      - ./data/db:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_DB=postgres
-      - POSTGRES_USER=postgres
-      - POSTGRES_PASSWORD=postgres
   web:
     build: .
-    image: pygoat/pygoat
     command: gunicorn --bind 0.0.0.0:8000 --workers 6 pygoat.wsgi
     ports:
       - "8000:8000"
     volumes:
       - .:/app
     depends_on:
       - migration
-      - db
   migration:
-    image: pygoat/pygoat
-    command: python pygoat/manage.py migrate --noinput
+    image: pygoat/pygoat:latest
+    command: python manage.py migrate --noinput
     volumes:
-      - .:/app
-    depends_on:
-      - db
+      - .:/app

requirements.txt

@@ -5,12 +5,12 @@ certifi==2022.12.7
 cffi==1.15.1
 charset-normalizer==3.0.1
 cryptography==39.0.1
-crispy_bootstrap4
+crispy-bootstrap4===2024.10
 defusedxml==0.7.1
 dj-database-url==0.5.0
-Django==4.1.7
+Django==4.2
 django-allauth==0.52.0
-django-crispy-forms==2.0
+django-crispy-forms==2.3
 django-heroku==0.3.1
 gunicorn==23.0.0
 idna==3.4