-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve Flask Analyzer (method, param, header)
- Loading branch information
Showing
14 changed files
with
473 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| import sys | ||
| import json | ||
| import hashlib | ||
| from flask import Flask, render_template, request, session, jsonify | ||
| from database import db_session | ||
| from models import User | ||
| from utils import get_hash | ||
|
|
||
| app = Flask(__name__) | ||
| app.secret_key = "dd2e7b987b357908fac0118ecdf0d3d2cae7b5a635f802d6" # random generate | ||
|
|
||
| @app.teardown_appcontext | ||
| def shutdown_session(exception=None): | ||
| db_session.remove() | ||
|
|
||
| @app.route('/sign', methods=['GET', 'POST']) | ||
| def sign_sample(): | ||
| if request.method == 'POST': | ||
| username = request.form['username'] | ||
| password = get_hash(request.form['password'], app.secret_key) | ||
| if User.query.filter(User.name == username).first(): | ||
| return render_template('error.html') | ||
|
|
||
| u = User(username, password) | ||
| db_session.add(u) | ||
| db_session.commit() | ||
| return render_template('login.html') | ||
|
|
||
| return render_template('sign.html') | ||
|
|
||
| @app.route('/login', methods=['POST']) | ||
| def login_sample(): | ||
| if request.method == 'POST': | ||
| username = request.form['username'] | ||
| password = get_hash(request.form['password'], app.secret_key) | ||
| if User.query.filter(User.name == username and User.password == password).first(): | ||
| session['logged_in'] = True | ||
| session['username'] = username | ||
| return render_template('index.html') | ||
| else: | ||
| return "Fail" | ||
|
|
||
| return render_template('login.html') | ||
|
|
||
| @app.route('/create_record', methods=['PUT']) | ||
| def create_record(): | ||
| record = json.loads(request.data) | ||
| with open('/tmp/data.txt', 'r') as f: | ||
| data = f.read() | ||
| if not data: | ||
| records = [record] | ||
| else: | ||
| records = json.loads(data) | ||
| records.append(record) | ||
| with open('/tmp/data.txt', 'w') as f: | ||
| f.write(json.dumps(records, indent=2)) | ||
| return jsonify(record) | ||
|
|
||
| @app.route('/delete_record', methods=['DELETE']) | ||
| def delte_record(): | ||
| record = json.loads(request.data) | ||
| new_records = [] | ||
| with open('/tmp/data.txt', 'r') as f: | ||
| data = f.read() | ||
| records = json.loads(data) | ||
| for r in records: | ||
| if r['name'] == record['name']: | ||
| continue | ||
| new_records.append(r) | ||
| with open('/tmp/data.txt', 'w') as f: | ||
| f.write(json.dumps(new_records, indent=2)) | ||
| return jsonify(record) | ||
|
|
||
| @app.route('/get_ip', methods=['GET']) | ||
| def json_sample(): | ||
| data = {'ip': request.headers.get('X-Forwarded-For', request.remote_addr)} | ||
|
|
||
| return jsonify(data), 200 | ||
|
|
||
| @app.route('/') | ||
| def index(): | ||
| return render_template('index.html') | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| port = 80 | ||
| if len(sys.argv) > 1: | ||
| port = int(sys.argv[1]) | ||
|
|
||
| app.run(host='0.0.0.0', port=port) | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| flask | ||
| flask-sqlalchemy | ||
| sqlalchemy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| p { | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| console.log('example js') |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| <html> | ||
| <head> | ||
| <title>test</title> | ||
| </head> | ||
| <body> | ||
| Error Page | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| <html> | ||
| <head> | ||
| <title>test</title> | ||
| <script src="{{ url_for('static', filename='js/example.js')}}"></script> | ||
| <link rel="stylesheet" href="{{ url_for('static', filename='css/example.css')}}"/> | ||
| </head> | ||
| <body> | ||
| <p>test</p> | ||
| {% if session['logged_in'] %} | ||
| <h1>{{ session['username'] }}</h1> | ||
| {% endif %} | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| <html> | ||
| <head> | ||
| <title>test</title> | ||
| </head> | ||
| <body> | ||
| <h1>Login Page</h1> | ||
| <form action="/login" method="post"> | ||
| ID <input type="text" name="username"/> | ||
| PW <input type="password" name="password"/><br> | ||
| <input type="submit"/> | ||
| </form> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| <html> | ||
| <head> | ||
| <title>test</title> | ||
| </head> | ||
| <body> | ||
| <h1>Account Regist Page</h1> | ||
| <form action="/sign" method="post"> | ||
| ID <input type="text" name="username"/> | ||
| PW <input type="password" name="password"/><br> | ||
| <input type="submit"/> | ||
| </form> | ||
| </body> | ||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| import hashlib | ||
|
|
||
| def get_hash(data, salt): | ||
| m = len(salt)//2 | ||
| sdata = salt[:m] + data + salt[m:] | ||
| return hashlib.sha256(sdata.encode('utf-8')).hexdigest() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| require "../func_spec.cr" | ||
|
|
||
| extected_endpoints = [ | ||
| Endpoint.new("/sign", "GET"), | ||
| Endpoint.new("/sign", "POST", [Param.new("username", "", "form"), Param.new("password", "", "form")]), | ||
| Endpoint.new("/login", "POST", [Param.new("username", "", "form"), Param.new("password", "", "form")]), | ||
| Endpoint.new("/create_record", "PUT"), | ||
| Endpoint.new("/delete_record", "DELETE", [Param.new("name", "", "json")]), | ||
| Endpoint.new("/get_ip", "GET", [Param.new("X-Forwarded-For", "", "header")]), | ||
| Endpoint.new("/", "GET"), | ||
| ] | ||
|
|
||
| FunctionalTester.new("fixtures/flask/", { | ||
| :techs => 1, | ||
| :endpoints => 7, | ||
| }, extected_endpoints).test_all |
Oops, something went wrong.