Correção 01

globocom · Apr 18, 2022 · d2521b2 · d2521b2
1 parent a389795
commit d2521b2
Showing 1 changed file with 71 additions and 18 deletions.
diff --git a/owasp-top10-2021-apps/a9/games-irados/app/routes.py b/owasp-top10-2021-apps/a9/games-irados/app/routes.py
@@ -9,26 +9,64 @@
     request,
     redirect,
     flash,
-    make_response,
     session
 )
 from util.init_db import init_db
 from flask.logging import default_handler
 from flask_bootstrap import Bootstrap
 from model.password import Password
 from model.db import DataBase
-import logging
 import os
-
 from flask_cors import CORS, cross_origin
 from model.db import DataBase
-
+import logging, logging.config
+
+LOGGING_CONFIG = { 
+    'version': 1,
+    'disable_existing_loggers': True,
+    'formatters': { 
+        'standard': { 
+            'format': '[%(levelname)s] - %(asctime)s - %(message)s'
+        },
+    },
+    'handlers': { 
+        'consolehandler': { 
+            'level': 'DEBUG',
+            'formatter': 'standard',
+            'class': 'logging.StreamHandler',
+            'stream': 'ext://sys.stdout',
+        },
+        'filehandler': { 
+            'level': 'INFO',
+            'formatter': 'standard',
+            'class': 'logging.FileHandler',
+            'filename': 'info.log',
+        },
+    },
+    'loggers': { 
+        '': {
+            'handlers': ['consolehandler'],
+            'level': 'NOTSET',
+            'propagate': False
+        },
+        'file': { 
+            'handlers': ['filehandler'],
+            'level': 'INFO',
+            'propagate': False
+        },
+        'console': {
+            'handlers': ['consolehandler'],
+            'level': 'DEBUG',
+            'propagate': False
+        },
+    } 
+}
+
+logging.config.dictConfig(LOGGING_CONFIG)
 app = Flask(__name__)
 bootstrap = Bootstrap(app)
-
 app.config.from_pyfile('config.py')
-logging.basicConfig(filename='log.log', level=logging.DEBUG, format=f'%(asctime)s %(levelname)s %(name)s %(threadName)s : %(message)s')
-#logging.basicConfig(level=logging.DEBUG, format=f'%(asctime)s %(levelname)s %(name)s %(threadName)s : %(message)s', handlers=[logging.FileHandler("ola_povo.log"),logging.StreamHandler()])
+logfile = logging.getLogger('file')
 
 def generate_csrf_token():
     '''
@@ -50,14 +88,15 @@ def csrf_protect():
         token_csrf = session.get('_csrf_token')
         form_token = request.form.get('_csrf_token')
         if not token_csrf or str(token_csrf) != str(form_token):
+            logfile.info("Wrong value for csrf_token - IP: {}".format(request.remote_addr))
             return "ERROR: Wrong value for csrf_token"
 
 def login_required(f):
     @wraps(f)
     def decorated_function(*args, **kwargs):
         if 'username' not in session:
             flash('oops, session expired', "danger")
-            app.logger.info('Session expired.')
+            logfile.info("Session expired - IP: {}".format(request.remote_addr))
             return redirect('/login')
         return f(*args, **kwargs)
     return decorated_function
@@ -69,7 +108,9 @@ def root():
 @app.route('/logout', methods=['GET'])
 @login_required
 def logout():
-    session.clear()
+    if 'username' in session:
+        logfile.info("Logout - Username: {} - IP: {}".format(session.get('username'), request.remote_addr))
+        session.clear()
     return redirect('/login')
 
 @app.route('/login', methods=['GET', 'POST'])
@@ -78,12 +119,20 @@ def login():
         username = request.form.get('username').encode('utf-8')
         psw = Password(request.form.get('password').encode('utf-8'))
         user_password, success = database.get_user_password(username)
-        if not success or user_password == None or not psw.validate_password(str(user_password[0])):
+        if not success:
+            if isinstance(user_password, str):
+                flash("Database error", "danger")
+                logfile.info("Unsuccessful login attempt (database error) - Username: {} - Database message: {} - IP: {}".format(username, user_password, request.remote_addr))
+            else:
+                flash("Usuario ou senha incorretos", "danger")
+                logfile.info("Unsuccessful login attempt (invalid username) - Username: {} - IP: {}".format(username, request.remote_addr))
+            return render_template('login.html')
+        if not psw.validate_password(str(user_password[0])):
             flash("Usuario ou senha incorretos", "danger")
-            app.logger.info("Unsuccessful login attempt. Username: {}; Database success: {};".format(username, success))
+            logfile.info("Unsuccessful login attempt (invalid pass) - Username: {} - IP: {}".format(username, request.remote_addr))
             return render_template('login.html')
         session['username'] = username
-        app.logger.info("Successful login attempt. Username: {};".format(username))
+        logfile.info("Successful login attempt - Username: {} - IP: {}".format(username, request.remote_addr))
         return redirect('/home')
     else:
         return render_template('login.html')
@@ -101,15 +150,15 @@ def newuser():
             message, success = database.insert_user(username, hashed_psw)
             if success == 1:
                 flash("Novo usuario adicionado!", "primary")
-                app.logger.info("New user added: {}".format(username))
+                logfile.info("New user added: {} - IP: {}".format(username, request.remote_addr))
                 return redirect('/login')
             else:
                 flash(message, "danger")
-                app.logger.info("Unsuccessful insert_user attempt. Username: {}; Database message: {};".format(username, message))
+                logfile.info("Unsuccessful insert_user attempt. Username: {} - Database message: {} - IP: {}".format(username, message, request.remote_addr))
                 return redirect('/register')
 
         flash("Passwords must be the same!", "danger")
-        app.logger.info('Different passwords.')
+        logfile.info("Different passwords. - IP: {}".format(request.remote_addr))
         return redirect('/register')
     else:
         return render_template('register.html')
@@ -122,16 +171,20 @@ def home():
 @app.route('/coupon', methods=['GET', 'POST'])
 @login_required
 def cupom():
-    if request.method == 'POST':
+    if request.method == 'POST' and ('username' in session):
         coupon = request.form.get('coupon')
         rows, success = database.get_game_coupon(coupon, session.get('username'))
         if not success or rows == None or rows == 0:
             flash("Cupom invalido", "danger")
-            app.logger.info("Invalid coupon: {}".format(coupon))
+            logfile.info("Invalid coupon: {} - IP: {} - get_game_coupon() error".format(coupon, request.remote_addr))
             return render_template('coupon.html')
         game, success = database.get_game(coupon, session.get('username'))
+        if not success or game == None:
+            flash("Cupom invalido", "danger")
+            logfile.info("Invalid coupon: {} - success: {} - IP: {} - get_game() error".format(coupon, success, request.remote_addr))
+            return render_template('coupon.html')
         flash("Voce ganhou {}".format(game[0]), "primary")
-        app.logger.info("Valid coupon used: {}; Game: {};".format(coupon, game[0]))
+        logfile.info("Valid coupon used: {} - Game: {} - IP: {}".format(coupon, game[0], request.remote_addr))
         return render_template('coupon.html')
     else:
         return render_template('coupon.html')