comer até morrer

owasp-top10-2021-apps/a7/saidajaula-monster/app/app.py

@@ -4,12 +4,15 @@
 from model.password import Password
 from model.db import DataBase
 import base64
+import jwt
+from datetime import datetime, timedelta
 import os
 import json
 import hashlib
 import uuid
 from functools import wraps
 
+secret_key = os.environ.get('SECRET_KEY')
 
 app = Flask(__name__)
 database = DataBase(os.environ.get('A2_DATABASE_HOST'),
@@ -20,37 +23,32 @@
 
 def login_admin_required(f):
     @wraps(f)
+
     def decorated_function(*args, **kwargs):
-        cookie = request.cookies.get("sessionId", "")
-        cookie = base64.b64decode(cookie).decode("utf-8")
-        cookie_separado = cookie.split('.')
-        if(len(cookie_separado) != 2):
-            return "Invalid cookie!"
-        hash_cookie = hashlib.sha256(cookie_separado[0].encode('utf-8')).hexdigest()
-        if (hash_cookie != cookie_separado[1]):
+        encoded_jwt = request.cookies.get("sessionId", "")  
+        try:
+            decode_token = jwt.base64(encoded_jwt, secret_key, algorithms = 'HS256')
+        except:
             return redirect("/login")
-        j = json.loads(cookie_separado[0])
-        if j.get("permissao") != 1:
+
+        if cookie["permissao"] != 1:
             return "You don't have permission to access this route. You are not an admin. \n"
         return f(*args, **kwargs)
     return decorated_function
 
 
 def login_required(f):
     @wraps(f)
+
     def decorated_function(*args, **kwargs):
-        cookie = request.cookies.get("sessionId", "")
-        cookie = base64.b64decode(cookie).decode("utf-8")
-        cookie_separado = cookie.split('.')
-        if(len(cookie_separado) != 2):
-            return "Invalid cookie! \n"
-        hash_cookie = hashlib.sha256(cookie_separado[0].encode('utf-8')).hexdigest()
-        if (hash_cookie != cookie_separado[1]):
+        encoded_jwt = request.cookies.get("sessionId", "")
+        try:
+            decode_token = jwt.decode(encoded_jwt, secret_key, algorithms="ES256")
+        except:
             return redirect("/login")
         return f(*args, **kwargs)
     return decorated_function
 
-
 @app.route("/", methods=['GET'])
 def home():
     return render_template('index.html')
@@ -102,16 +100,23 @@ def login():
         if not password.validate_password(result[0]):
             return "Login failed! \n"
 
-        cookie_dic = {"permissao": result[1], "username": form_username}
-        cookie = json.dumps(cookie_dic)
-        hash_cookie = hashlib.sha256(cookie.encode('utf-8')).hexdigest()
-        cookie_done = '.'.join([cookie,hash_cookie])
-        cookie_done = base64.b64encode(str(cookie_done).encode("utf-8"))
+
+        claims ={
+            "username": form_username,
+            "password": form_password,
+            "exp": datetime.utcnow() + timedelta(seconds = 30),
+            "permissao": result[1]
+            }
+
+        try:
+            token = jwt.encode(claims, secret_key, algorithms = 'HS256')
+        except:
+            return "Error!\n"
+
         resp = make_response("Logged in!")
-        resp.set_cookie("sessionId", cookie_done)
+        resp.set_cookie("sessionId", token)
         return resp
 
-
 @app.route("/admin", methods=['GET'])
 @login_admin_required
 def admin():

owasp-top10-2021-apps/a7/saidajaula-monster/app/requirements.txt

@@ -9,4 +9,5 @@ MarkupSafe==1.1.0
 mysqlclient==2.0.3
 six==1.11.0
 visitor==0.1.3
-Werkzeug==0.14.1
+Werkzeug==0.14.1
+PyJWT==2.0.0

owasp-top10-2021-apps/a7/saidajaula-monster/deployments/docker-compose.yml

@@ -10,6 +10,7 @@ services:
       A2_DATABASE_PASSWORD: pass
       A2_DATABASE_HOST: db
       A2_DATABASE_NAME: A2
+      SECRET_KEY: HJGUY778F
     links:
       - db:db
     depends_on: