Merge pull request #49 from CodeBattles-nn/dev

Security fixes

BACKEND/requirements.txt

@@ -7,3 +7,5 @@ Flask-Cors~=4.0.0
 redis~=5.0.1
 captcha~=0.5.0
 gunicorn~=22.0.0
+wtforms~=3.1.2
+wtforms_json~=0.3.5

BACKEND/src/app.py

@@ -1,5 +1,8 @@
+import wtforms_json
 from flask import Flask, request, make_response
 
+wtforms_json.init()
+
 app = Flask(__name__)
 
 

BACKEND/src/decorators/validation.py

@@ -0,0 +1,19 @@
+from functools import wraps
+from typing import Type
+
+from flask import abort, request
+from wtforms import Form
+
+
+def json_validate(clazz: Type[Form]):
+    def decorator(f):
+        @wraps(f)
+        def decorated_function(*args, **kwargs):
+            x: Form = clazz.from_json(request.json)
+            if not x.validate():
+                return abort(400)
+            return f(*args, **kwargs, data=x)
+
+        return decorated_function
+
+    return decorator

BACKEND/src/web/api/auth.py

@@ -2,7 +2,9 @@
 
 from app import app
 from database import get_connection
+from decorators.validation import json_validate
 from utils import salt_crypt
+from web.validation_form.api import LoginForm
 
 
 @app.route("/api/logout", methods=['POST', 'GET'])
@@ -17,11 +19,12 @@ def logout_api():
 
 
 @app.route("/api/login", methods=['POST'])
-def login_post_api():
+@json_validate(LoginForm)
+def login_post_api(data: LoginForm):
     try:
-        champ_id = request.json['id']
-        login = request.json['login']
-        password = request.json['password']
+        champ_id = data.id.data
+        login = data.login.data
+        password = data.password.data
 
         champ_id = int(champ_id)
 

BACKEND/src/web/api/send_prog.py

@@ -3,21 +3,27 @@
 import string
 
 import requests
-from flask import request
 
 import env
 from app import app
 from database import get_connection
 from decorators import get_user_id, api_login_required
+from decorators.validation import json_validate
+from web.validation_form.api import SendProgramForm
 
 
 @app.route("/api/send", methods=['POST'])
 @api_login_required
 @get_user_id
-def api_send_prog(user_id, uid):
+@json_validate(SendProgramForm)
+def api_send_prog(user_id, uid, data: SendProgramForm):
     connection = get_connection()
     cur = connection.cursor()
 
+    f_lang = data.cars.data
+    f_code = data.src.data
+    problem_letter_form = data.problem.data
+
     cur.execute("SELECT * FROM champs WHERE id = %s", (str(user_id),))
 
     fetch = cur.fetchone()  # Can be None
@@ -38,7 +44,6 @@ def api_send_prog(user_id, uid):
     x = list(cur.fetchall())
 
     problem_ = None
-    problem_letter_form = request.json['problem']
 
     for i in x:
         _id = i[0]
@@ -52,9 +57,6 @@ def api_send_prog(user_id, uid):
 
     print(problem_)
 
-    f_lang = request.json['cars']
-    f_code = request.json['src']
-
     cur.execute(
         f'''
         INSERT INTO champSends_{user_id}
@@ -75,27 +77,27 @@ def api_send_prog(user_id, uid):
     meta = {
         "champ_id": user_id,
         "user_id": uid,
-        "problem": request.json['problem'],
+        "problem": problem_letter_form,
         "id": inserted_id,
     }
 
-    data = {
+    payload = {
         "meta": json.dumps(meta),
-        "source": request.json['src'],
-        "compiler": request.json['cars'],
+        "source": f_code,
+        "compiler": f_lang,
         "tests": tests,
     }
 
     connection.commit()
 
     cur.execute(
         f"SELECT address FROM servers WHERE id = %s and enabled = true",
-        (request.json['cars'],))
+        (f_lang,))
 
     server_addr = cur.fetchone()
     server_addr = server_addr[0]
     print()
 
     requests.post(f"http://{server_addr}:{env.CHECKER_PORT}/api/v1/test",
-                  json=data)
+                  json=payload)
     return {"success": True}

BACKEND/src/web/validation_form/api.py

@@ -0,0 +1,17 @@
+from wtforms import Form, StringField, IntegerField
+from wtforms.validators import DataRequired, Regexp
+
+from utils import LETTER_REGEX
+
+
+class LoginForm(Form):
+    id = IntegerField('id', validators=[DataRequired()])
+    login = StringField('login', validators=[DataRequired()])
+    password = StringField('password', validators=[DataRequired()])
+
+
+class SendProgramForm(Form):
+    cars = StringField('cars', validators=[DataRequired()])
+    src = StringField('src', validators=[DataRequired()])
+    problem = StringField('problem',
+                          validators=[DataRequired(), Regexp(LETTER_REGEX)])

FRONTEND_V2/.eslintrc.cjs

@@ -5,7 +5,6 @@ module.exports = {
     'eslint:recommended',
     'plugin:react/recommended',
     'plugin:react/jsx-runtime',
-    'plugin:react-hooks/recommended',
   ],
   ignorePatterns: ['dist', '.eslintrc.cjs'],
   parserOptions: { ecmaVersion: 'latest', sourceType: 'module' },

GATEWAY/nginx.conf

@@ -11,7 +11,11 @@ server {
   gzip_http_version 1.1;
   gzip_min_length 0;
   gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;
-
+
+  location /api/check_system_callback {
+    deny all;
+  }
+
   location /api {
     proxy_pass http://backend:8000;
   }