complete lab3

JWT/jwt-signature-apis-challenges/app.js

@@ -9,7 +9,7 @@ const { exec } = require('child_process');
 const app = express();
 app.use(express.json()); //midleware needed to handle post request
 
-//Environment: Disable unauthorized x509 certificates. 
+//Environment: Disable unauthorized x509 certificates.
 process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
 
 //JWT payload
@@ -31,7 +31,7 @@ app.post('/jwt/none', (req, res) => { //None endpoint
     } else if (jwt_b64_dec.header.alg == 'none') {
       secret_key = '';
     }
-    JWT.verify(jwt_token, secret_key, { algorithms: ['none', 'HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
+    JWT.verify(jwt_token, secret_key, { algorithms: ['HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
       if (err) {
         res.status(400).json(err);
       } else {

Python/Flask_Book_Library/Dockerfile

@@ -10,7 +10,7 @@ ENV FLASK_ENV=development
 ENV PASSWORD=1qaz@WSX
 # Instalujemy zależności
 RUN pip install --no-cache-dir -r requirements.txt
-
+RUN pytest -vv
 # Ustawiamy zmienną środowiskową, aby Flask wiedział, jak uruchomić aplikację
 ENV FLASK_APP=app.py
 ENV FLASK_RUN_HOST=0.0.0.0

Python/Flask_Book_Library/pytest.ini

@@ -0,0 +1,2 @@
+[pytest]
+pythonpath = .

Python/Flask_Book_Library/requirements.txt

@@ -15,3 +15,4 @@ SQLAlchemy==2.0.21
 typing_extensions==4.8.0
 Werkzeug==2.3.7
 WTForms==3.0.1
+pytest==8.4.2

Python/Flask_Book_Library/tests/test_customer.py

@@ -0,0 +1,134 @@
+import pytest
+from project import app, db
+from project.customers.models import Customer
+import time
+@pytest.fixture
+def test_db():
+    app.config['TESTING'] = True
+    app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///:memory:'
+    app.config['WTF_CSRF_ENABLED'] = False
+
+    with app.app_context():
+        db.create_all()
+        yield db
+        db.drop_all()
+
+def test_true():
+    assert True
+def test_correct_customer(test_db):
+    customer = Customer(name="John Doe", city="New York", age=30, pesel="12345678901", street="Main St", appNo="1A")
+    test_db.session.add(customer)
+    test_db.session.commit()
+    assert customer is not None
+    found = Customer.query.filter_by(pesel="12345678901").first()
+    assert found is not None
+    assert found.name == "John Doe"
+
+def test_wrong_name_customer(test_db):
+    incorrect_names = [
+        "",  # Empty name
+        "A" * 101,  # Name too long
+        "John123",  # Name with numbers
+        "John@Doe",  # Name with special characters
+        "John; DROP TABLE Customers;--"  # SQL Injection attempt
+    ]
+    with pytest.raises(Exception):
+        for name in incorrect_names:
+            Customer(name=name, city="New York", age=30, pesel="12345678901", street="Main St", appNo="1A")
+def test_wrong_age_customer(test_db):
+    incorrect_ages = [
+        -1,  # Negative age
+        200,  # Unrealistically high age
+        "thirty",  # Non-integer age
+        None  # Null age
+    ]
+    with pytest.raises(Exception):
+        for age in incorrect_ages:
+            Customer(name="John Doe", city="New York", age=age, pesel="12345678901", street="Main St", appNo="1A")
+
+def test_wrong_pesel_customer(test_db):
+    incorrect_pesels = [
+        "123",  # Too short
+        "12345678901234567890",  # Too long
+        "ABCDEFGHIJK",  # Non-numeric
+        "12345; DROP TABLE Customers;--"  # SQL Injection attempt
+    ]
+    with pytest.raises(Exception):
+        for pesel in incorrect_pesels:
+            Customer(name="John Doe", city="New York", age=30, pesel=pesel, street="Main St", appNo="1A")
+
+def test_wrong_city_customer(test_db):
+    incorrect_cities = [
+        "",  # Empty city
+        "A" * 101,  # City name too long
+        "New York123",  # City with numbers
+        "New York@City",  # City with special characters
+        "New York; DROP TABLE Customers;--"  # SQL Injection attempt
+    ]
+    with pytest.raises(Exception):
+        for city in incorrect_cities:
+            Customer(name="John Doe", city=city, age=30, pesel="12345678901", street="Main St", appNo="1A")
+
+def test_wrong_street_customer(test_db):
+    incorrect_streets = [
+        "",  # Empty street
+        "A" * 129,  # Street name too long
+        "Main St123",  # Street with numbers
+        "Main St@Home",  # Street with special characters
+        "Main St; DROP TABLE Customers;--"  # SQL Injection attempt
+    ]
+    with pytest.raises(Exception):
+        for street in incorrect_streets:
+            Customer(name="John Doe", city="New York", age=30, pesel="12345678901", street=street, appNo="1A")
+
+def test_wrong_appNo_customer(test_db):
+    incorrect_appNos = [
+        "",  # Empty appNo
+        "A" * 11,  # appNo too long
+        "1A@2B",  # appNo with special characters
+        "1A; DROP TABLE Customers;--"  # SQL Injection attempt
+    ]
+    with pytest.raises(Exception):
+        for appNo in incorrect_appNos:
+            Customer(name="John Doe", city="New York", age=30, pesel="12345678901", street="Main St", appNo=appNo)
+
+xss_payloads = [
+        "<script>alert('XSS')</script>",
+        "<img src='x' onerror='alert(1)'>",
+        "<iframe src='javascript:alert(1)'></iframe>",
+        "<div style='background-image: url(javascript:alert(1))'>"
+]
+@pytest.mark.parametrize("payload", xss_payloads)
+def test_customer_xss_name(payload):
+    with pytest.raises(Exception):
+        Customer(name=payload, city="New York", age=30, pesel="43567890123", street="Main St", appNo="1A")
+@pytest.mark.parametrize("payload", xss_payloads)
+def test_customer_xss_city(payload):
+    with pytest.raises(Exception):
+        Customer(name="John Doe", city=payload, age=30, pesel="12345678901", street="Main St", appNo="1A")
+@pytest.mark.parametrize("payload", xss_payloads)
+def test_customer_xss_street(payload):
+    with pytest.raises(Exception):
+        Customer(name="John Doe", city="New York", age=30, pesel="12445678901", street=payload, appNo="1A")
+@pytest.mark.parametrize("payload", xss_payloads)
+def test_customer_xss_street(payload):
+    with pytest.raises(Exception):
+        Customer(name="John Doe", city="New York", age=30, pesel="12445678901", street="Main St", appNo=payload)
+
+
+def test_extreme_data(test_db):
+    extreme_names = [
+        "A" * 1000,
+        "A" * 10000,
+        "A" * 100000,
+        "A" * 1000000,
+        "A" * 10000000,
+    ]
+    now = time.time()
+    with pytest.raises(Exception):
+        for name in extreme_names:
+            Customer(name=name, city="New York", age=30, pesel="12345678901", street="Main St", appNo="1A")
+    end = time.time()
+    operation_time = end - now
+    print(f"Extreme data test operation time: {operation_time} seconds")
+    assert (end - now) < 5

spraw.md

@@ -0,0 +1,26 @@
+# zad 1
+wybrałem aplikację Pythonową, obiekt Customer. <br>
+Testy znajdują się w katalogu Python/Flask_Book_Library/tests <br>
+testy wykonałem korzystając z biblioteki pytest
+dodałem do dockerfile komendę: `RUN pytest -vv` <br>
+
+# zad 2
+
+### 1. znalazłem token który otrzymuje użytkownik Bob:
+od komendy `POST https://127.0.0.1/jwt`
+
+### 2. aby dostać się na admina musiałem:
+- zmienić pole alg na "none"
+- zmienić pole account na "admin"
+- usunąć klucz publiczny
+finalny token:
+`eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhY2NvdW50IjoiYWRtaW4iLCJyb2xlIjoiVXNlciIsImlhdCI6MTc2NDUxNDIxMiwiYXVkIjoiaHR0cHM6Ly8xMjcuMC4wLjEvand0L25vbmUifQ.`
+
+![return](zdj/admin.png)
+### 3. modyfikacja polegała na:
+usunięciu przyjmowania algorytmu none
+w linii 32:
+algorithms: ['HS256']
+
+![error](zdj/image.png)
+