Skip to content

Oddanie lab 3 JWT Patryk Średniawa 303638 #49

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PatrykSredniawa wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Oddanie lab 3 JWT Patryk Średniawa 303638 #49

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
15c6709
Oddanie lab 3
Dec 1, 2025
867aa6b
Zmiana nazwy pliku z trescia zadania
Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion JWT/jwt-signature-apis-challenges/app.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ app.post('/jwt/none', (req, res) => { //None endpoint
} else if (jwt_b64_dec.header.alg == 'none') {
secret_key = '';
}
JWT.verify(jwt_token, secret_key, { algorithms: ['none', 'HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
JWT.verify(jwt_token, secret_key, { algorithms: ['HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
if (err) {
res.status(400).json(err);
} else {
Expand Down
37 changes: 37 additions & 0 deletions Lab 3 JWT Patryk Sredniawa 303638.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
## Zadanie 1 - Przygotowanie rozszerzonego zestawu testów jednostowych
Przygotowano testy, które sprawdzają:
- Testy poprawnych danych
- Testy niepoprawnych danych
- Testy związane z próbą wstrzyknięcia kodu SQL oraz kodu JavaScript
- Testy ekstremalne
Testy napisano dla modelu customers.

Sprawdzono takie rzeczy jak:
- czy klient został poprawnie stworzony
- czy podany wiek jest możliwy
- sql injection
- js injection
- przypadek, gdy dane nie zostaną wprowadzone
- ekstremalnie długi string
- czy pesel jest wyjątkowy
Zgodnie z oczekiwaniami, testy nie przechodzą i otrzymujemy mnóstwo błędów.

---

## Zadanie 2 - ## JWT — wykorzystanie podatności oraz realizacja poprawki
Zadanie rozpoczęto od wgrania kolekcji do Postmana oraz wygenerowaniu tokena dla Boba

![tokenBob](img/tokenBob.png)
Przygotowany token zgodnie ze stroną https://www.gavinjl.me/edit-jwt-online-alg-none/:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhY2NvdW50IjoiQWRtaW5pc3RyYXRvciIsInJvbGUiOiJVc2VyIiwiaWF0IjoxNzAxNzIyODU2LCAiYXVkIjoiaHR0cHM6Ly8xMjcuMC4wLjEvand0L25vbmUifQ.

![przygotowaniePayloadu](img/przygotowaniePayloadu.png)

Po przesłaniu tokenu otrzymano szukany komunikat.
![przeslaniePayloadu](img/przeslaniePayloadu.png)
Poprawka:
Usunięcie none z dostępnych algorytmów z
```
    JWT.verify(jwt_token, secret_key, { algorithms: ['HS256'], complete: true, audience: 'https://127.0.0.1/jwt/none' }, (err, decoded_token) => {
```
![poPoprawkach](img/poPoprawkach.png)
2 changes: 2 additions & 0 deletions Python/Flask_Book_Library/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ RUN pip install --no-cache-dir -r requirements.txt
ENV FLASK_APP=app.py
ENV FLASK_RUN_HOST=0.0.0.0

RUN python -m unittest discover -v

# Expose the port the app runs on
EXPOSE 5000

Expand Down
87 changes: 87 additions & 0 deletions Python/Flask_Book_Library/project/customers/test_customers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
import unittest
from sqlalchemy.exc import IntegrityError
from project import db, app
from project.customers.models import Customer


class TestCustomerModel(unittest.TestCase):

def setUp(self):
self.app_context = app.app_context()
self.app_context.push()
db.create_all()

def tearDown(self):
db.session.remove()
db.drop_all()
self.app_context.pop()

def test_valid_customer_creation(self):
customer = Customer(name='Pierwszy Agent', city='Warsaw', age=30, pesel='12345678901', street='Zielona', appNo='A123')
db.session.add(customer)
db.session.commit()
self.assertIsNotNone(customer.id)

def test_invalid_age(self):
customer = Customer(name='Drugi Agent', city='Krakow', age=-5, pesel='98765432101', street='Niebieska', appNo='B123')
db.session.add(customer)
with self.assertRaises(IntegrityError):
db.session.commit()

def test_sql_injection(self):
customer = Customer(name="Trzeci Agent'); DROP TABLE customers;--", city='Lodz', age=25, pesel='11111111111',
street='Czerwona', appNo='C123')
db.session.add(customer)
db.session.commit()
self.assertNotIn("DROP TABLE", customer.name)

def test_javascript_injection(self):
customer = Customer(name='<script>alert("XSS")</script>', city='Poznan', age=21, pesel='22222222222',
street='Czarna', appNo='D123')
db.session.add(customer)
db.session.commit()
self.assertNotIn('<script>', customer.name)
self.assertNotIn('</script>', customer.name)

def test_extreme_string_length(self):
long_name = 'A' * 300
customer = Customer(name=long_name, city='Gdansk', age=40, pesel='33333333333', street='Pomaranczowa',
appNo='E123')
db.session.add(customer)
with self.assertRaises(IntegrityError):
db.session.commit()

def test_empty_fields(self):
test_cases = [
{'name': '', 'city': '', 'age': 0, 'pesel': '', 'street': '', 'appNo': ''},
{'name': None, 'city': None, 'age': None, 'pesel': None, 'street': None, 'appNo': None}
]

for case in test_cases:
with self.subTest(case=case):
customer = Customer(
name=case['name'],
city=case['city'],
age=case['age'],
pesel=case['pesel'],
street=case['street'],
appNo=case['appNo']
)
db.session.add(customer)
with self.assertRaises(IntegrityError):
db.session.commit()

def test_unique_pesel(self):
customer1 = Customer(name='Czlowiek 1', city='Wars', age=28, pesel='11111111111', street='Kolorawa',
appNo='A001')
customer2 = Customer(name='Czlowiek 2', city='Sawa', age=35, pesel='11111111111', street='Kolorowa',
appNo='A002')
db.session.add(customer1)
db.session.commit()
db.session.add(customer2)
with self.assertRaises(IntegrityError):
db.session.commit()


if __name__ == '__main__':
unittest.main()
Empty file added docker
View file
Open in desktop
Empty file.
Binary file added img/poPoprawkach.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img/przeslaniePayloadu.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img/przygotowaniePayloadu.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added img/tokenBob.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
0 README.MD → tresc.MD
View file
Open in desktop
File renamed without changes.