From 5848ff4b5a2cc8a20f788c014be87b53d99b7629 Mon Sep 17 00:00:00 2001
From: Kevin Chung <kchung@ctfd.io>
Date: Mon, 7 Mar 2022 15:01:50 -0500
Subject: [PATCH] Add checking for leaked flags in distributed files

---
 ctfcli/utils/challenge.py | 16 ++++++++++++++++
 ctfcli/utils/tools.py     | 19 +++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 ctfcli/utils/tools.py

diff --git a/ctfcli/utils/challenge.py b/ctfcli/utils/challenge.py
index dc36d12..8595e66 100644
--- a/ctfcli/utils/challenge.py
+++ b/ctfcli/utils/challenge.py
@@ -5,6 +5,7 @@
 import yaml
 
 from .config import generate_session
+from .tools import strings
 
 
 class Yaml(dict):
@@ -387,4 +388,19 @@ def lint_challenge(path):
     if errored:
         exit(1)
 
+    # Check that files don't have a flag in them
+    files = challenge.get("files", [])
+    errored = False
+    for f in files:
+        fpath = Path(path).parent / f
+        for s in strings(fpath):
+            # TODO make flag format customizable
+            if "flag" in s:
+                print(
+                    f"Potential flag {s} found in distributed file {fpath.absolute()}"
+                )
+                errored = True
+    if errored:
+        exit(1)
+
     exit(0)
diff --git a/ctfcli/utils/tools.py b/ctfcli/utils/tools.py
new file mode 100644
index 0000000..1452f4e
--- /dev/null
+++ b/ctfcli/utils/tools.py
@@ -0,0 +1,19 @@
+import string
+
+
+def strings(filename, min=4):
+    """
+    Python implementation of strings
+    https://stackoverflow.com/a/17197027
+    """
+    with open(filename, errors="ignore") as f:
+        result = ""
+        for c in f.read():
+            if c in string.printable:
+                result += c
+                continue
+            if len(result) >= min:
+                yield result
+            result = ""
+        if len(result) >= min:  # catch result at EOF
+            yield result