From 1b7e79dffb916558cb935ec0c3be6a1104be2c34 Mon Sep 17 00:00:00 2001 From: brunotorrijo Date: Mon, 24 Feb 2025 18:08:18 +0100 Subject: [PATCH 1/4] flaws branch pushed with sql injectionn --- jobfinder/__pycache__/app.cpython-311.pyc | Bin 0 -> 7874 bytes jobfinder/__pycache__/app.cpython-312.pyc | Bin 0 -> 6970 bytes jobfinder/__pycache__/models.cpython-312.pyc | Bin 2341 -> 2455 bytes jobfinder/app.py | 20 +++--- jobfinder/create_db.py | 14 ++++- jobfinder/instance/site.db | Bin 16384 -> 20480 bytes jobfinder/models.py | 7 ++- jobfinder/templates/login.html | 6 +- jobfinder/templates/signup.html | 63 +++++++++++-------- 9 files changed, 71 insertions(+), 39 deletions(-) create mode 100644 jobfinder/__pycache__/app.cpython-311.pyc create mode 100644 jobfinder/__pycache__/app.cpython-312.pyc diff --git a/jobfinder/__pycache__/app.cpython-311.pyc b/jobfinder/__pycache__/app.cpython-311.pyc new file mode 100644 index 0000000000000000000000000000000000000000..7cc958bdf16e132632572a2d249374557798584f GIT binary patch literal 7874 zcmc&&-EZ606~B}yi4tW=w)`PGPON-5u^h`z(sgZ`uXc&!EXka%PS!>+CMY89$kA6x zx`|!6bqiy40}t^-h6>vP=wZk@BoBSqL;isU-5Y6eh(JI> zW!XAlSLD_GIQQ^=obx;9+&{Lpc@U(>=N`>I^&|9mT&X2zweZblJ3?O|4slc(WvCdH zvBhi|d(57pV|2z5b7Y(`XT}wCQJBV-W-{)Wo0RQoPlk=L8E?!>>U6p-+vb1k$-RoIaoV9a&RCGw(}%4H*z=9&8W#kbPQ>wIP*V$D+88 z8=(a^OhmKK@{)itO~CW|6Z!_v?)m%4H>UAMiPP7loFGhJ%JOG~)Cc_Z8D6|0~ zr>3v+2_b%D`gAUnpO@fxrg->bN?MqHTgc79nE*|+))}pJMr)mOxoa~ie5})ne10^) zpwZWJ8D8jvueZS~z6sef+I0C=K3qSkxb~>7JzI!!j8^{ZW~T zR@mTgCW;eE=RUP_pTZ8R?4V2!3K+i@onvIdntfvYvPQpsY3eeZt}DY!*K?d`IbFO1 zLWPjI25Gz`gqQ5 zohOB)V7*r|OcO}F$4Y6ffyA4+vew=gaP?X#tu^3km^qk1TVrp;H!1YPbTtO6N;Z+< zH71`B#hW>STO6Dkzc_ySa(Fm=_MJ;V3uB7#yXVH=87De$F5Rkc$3@=8kK&C6_N5$?9*MRIAs091& z9xr*+;K5bKT>j39+PmZ~?$LXY;pb|iTIk}G0Ivr4RY#>gc(?CK``(TAy`^!beOPTD zUUioJU3Wgd{juT?tN!pR{gm}@A*Xw^ynp!1!+)6l^~Cz5;@w;Ew#yxZig&;2-7kCh zSAsk4O_VMu{fE^4LrUsR41BH`bX6M5hWN^gHhQV-DLZU z#}#%+Wrt*XNJkFWn3$T)&gU&4fmMxw#IN9R{~buIQ^KDA8BD;3YiX_yC3Ia$0Ul}u z@Nc4Vm}u;h2`uKYFpyL-z@*lK{|o4$)2c4bp{5Cd9F)Lwt|iW8k#_-L_Tltbdqm06Q@EZ90Gvoz`fAU=AKEewrwFgd!b_A#BkJVkOc7pWqh4 z{H>HIiMutYF6ZDA5L6h3j|m5H7KUtb=Ud5SZaynva035`Gl5uoVYd!btjJqSS~^btJPVI8JjWbD2y^(m~7FY7 zRVJL<4E6us^CUE~5gPgGx(x0}=#&~d^&~XD5gJ!Q6KZH;wXMvCwvf#|Mv!Vm@kUiI zh8rD(&MEy-wLhu^N7W#Prp;haDfAWnX#DGQa`1{0yrKrL0Gu+OHP0R2ZQuGWg$b)n zSZ2bc?FrMn!SpK34wcyeGKJ;2+R2?O;_oDkU#Nl&DDJc!{B!EmlkzLT3bS{~YAZ*lFju(?cDvvAREd2H)~fxA6A zF0vhK$JRem*!?QI9|vB;df?RvC!4H)?TtGpZ=bw(pfsxX9ah*QDtl!4Oa%hBx^HO4 z&yL=^BgF-^BeLo;V`-&(=iPMagxY<0mEH8U7agUWk3wI6D9_BPGa1>JReV|1mtD2j z!B8}SuO%1`DNICV2<$Zt8#h_s+R-~FZlC!4)Y>VSG+^VgFE7jN5q%jleWd0Hf)}2f zmn;y8g`7Bo928pL1#rkJh~NaYQjdms%?fBB!1hTJOArAz;`e+mZ;~J!=#V)Rw_S7U z^A_HO<|%kZY}&!<(d^2Fbzg~A=s}gnq4J9YX!jTv?KlWf^Yt$S&(`a=uHpxn2pry2 z6W4J6L2f+id$ZV9o3O5Qj;6|n-9@2czl?$8szmq+kh}-4_&Q{;Z7-=5SdLC9>_L@1 zDANbYaaeW^uY^cW`u}KLIrAL^YJRWKUD2iR>S2@EX0K&mE_fo*Ccn}iX~M`I6nTe8jsFakT` z)zlagy#PTPOtDq>KubI(1Zid_BF<*50v3NTiQxRlbt@+vg%)BnB7vsLg~g-6_ZP4c z)58jE(KRRFX*PGWnMrFg4PxAgk-}%B+b|vHn3}>1XQAhp@QTkMdwG@J^aj^17JF3h z?&a}{uWKz`JgWKzmnSMD3^=d)4=kUn5Yx4!c0`viw6uGkwz4l+4)m1Ud&`{z<&N&V z!sOnWz{o?~1>MQO zTS@MI^+=3dA_edz`i;2wembFFoD0|sg^Q;g$HT=GaZ`v(;!kBoDUnU`qe*g;E@0Kr zPn4Xo$HW3(RN<-N2s9oCuO*+y;T^t!*Vq{$mx<@D;d^6^No7+~9CteeFuMAsu3v_rN&Po3;Czk2SI+)8fQ zUPks6&lA+Wfx6c}P|z+F?UK>1GGdo)E9~lN1qDY%5>cPt!!OI)LbRna~Sl_WycZtDYkEpOPTQ{C9WSDx`XgP#v@9N@) zy;rvPmfhYv1Gfhhcc1F+!#*)Y_K=mCu2tJw+vol@|EeEksM<{Wo?(J-4bu9chSK-n zf8WqTs!wUxXA_@JtnXW%FmM3i0iG=vqWfS@A`Y4U5(%7j*dIISvu@X8F9rF(0K2)p ASpWb4 literal 0 HcmV?d00001 diff --git a/jobfinder/__pycache__/app.cpython-312.pyc b/jobfinder/__pycache__/app.cpython-312.pyc new file mode 100644 index 0000000000000000000000000000000000000000..3b211889a0a7c31d184aab95fa5a91fa9e1f8f0b GIT binary patch literal 6970 zcmc&&TWlN072PG54{<3{67`^DIi};tHf2$c?WT#JiDS!hZC6esC$R~k1jSv+q?eD( zu53%8QVA&_2@N0_C?FM0Q5NV&3i~5KfBapvMSy;k4B1Lu$Vh?;DEcSE0Rs4|_s(*b z6ivw~P@qF_c4p_^**lMW?wR>ZW21|M^yiBY$G`G&+&{6xlD%AbqFXp_nUgq)SGXh} z=98ANC20*?lR{WX+QPP^J#0@p!VVr~EQ&MP5N@DltKv$EVKM0ryJ=le8k3%|hn8)M zH|Y&~Y1ytcC7Z%cwCqrtlP%#Ep0jW=FZ=HEh85vfxi!(tOshN-p-P#RWDnD#y?7J- ztflglTPrfq^N~smD@jf!AvOGzyI+1C?%YP&C5e)I-14CDKFk&-$y24(wT+hd8Lg%& ztzFw_H9w=(Ql-_sjg~o=Qfrm;?ro&o%+a@3Nx!h2G>o0E8hb~T&K}t(`EMQMIC2`a z&lBJwKWuAjR2cDIex*qIeBjCBo&dJVw+!0RY?^t;5 z27HI-KHh!TdV{;e2fP1`>OqHYyP!nXTe_FXDM=;~O-^Q%s3z+UBELT&tD5d4vJ@wB zOw%0`M2U>0iEbMMotwHtl~pyKP6c`0HT&%bC|0uXJzf|Im`uxA>AFDATTvrWCDlOkc`GtkxX=4)@@39Je~>)qyavq zTgPRMAa)S^^6$7O`2DBvpF1&vQ=yKGYH317uBPPkBz{{SIWMcXv~*_V-0;W^IZ7f& zN6w{_nF$RRU|5DP#|ld@7NzG|(7EcZ)JvSoS5?Z2|Im7KO{PS$&ZLO-h+&je0YP0E`4X4;yy zCLm1ICgz;eLRKJ$vV!D5do;6u$$1Lv%}h^fVD|8w=3{TQHdc~cterh!r&hE@_I4X> zH*054(C#q%ZmhfwdWJ|hH0Vy;(y3@t)}5KCs@_QxX{u*<;L5UR$L zF8B+;m2*tiVmH$%ncz}aT#?|;3EIdWd>epFw*jn?N!?Clbwbf}0mrD~mjajwE+Vys zW;hu2A!LRVeK`B!O8Xa%J?p-%yu>f!Z=m+}{`=Wj&w z*GKcCv3#3UY?9|~>&?F9u6tdp&HDH#!oNwtVx%aR8c6~CKyIkykx#&BRcOTinhEU1fZ!`=RyZeg1P~IKd z5W7}R6~%*j;h^Epj>BqvJT;No;<*S{)N`-Ex_vj#UE+!Tf9ktnf{_ySJY1k2Zh6iZ zZB)vtG3v%8OmAnsL+lVMWmd{^5A4h@>S4eZ58tDi7$7;A7Wks+p%tI5kSHbxzGz0I zESKf8maO$b!~OD@r)?TK2Th4~R;oM`IKY~eHPH=h*jam5jVe^x$UwI;DieRU8I_4Z zRioO?`j$-mfwjpb-S@! zA-GbvMFva`VHSXFYWLY#EIpCZ5IulONL47KOzt&sL^OIZfW%9IguIA7?86NA0@)9l z-Y^zdFzSv@0;!1;RjY-M3e;GmlBC;X>0~ml8K`2fXP(|jM-fkr8-}l+gJVbi`>#P2Of`6dsADnOehv=t}(pPea4CJ_2><$%u{dsr)hOZ;% z|4eu|@cG4(?;U_Pr)$x*;9B%7c$V&#oPlzE)!A8ac9xvGHk^%lPpIVVH)w^U=s#HW z2J_C~IzZ6rq8Q8zK?8zphmkvN0U(n))2KY zGU8^U3EUGkNwQL6^M@)aj8rvAG60Q#j+6mtmgh*>%dl6mtKJtWDVY{3;ADVL7N}Cf zgpG=s51jYQBpN`;grY=6z$`r%ly=tM8I&rpQcarb(R&lL*h&G^wlE{>t~x?WO=563 zZP)g)CP~cNAGq0x%K$ZG0|qys1j?qxH3d#efC-ssYEpM9=~z^Q1CcIDvKk}t3|4@A zd=K?r!R-5(y$YG$kV&fmUVuDL{cunU7}Xjq!xfsMhYkbD;KT%sUkx@>_Cs)rtEi3% zYqfZXTST|SC4)E}My;1IL-)|FQAIKE%s~)|>RM}s&yo|+s-n{xC{~6sw2_j#)7bnk z$N(}scxK_uCkJxz+7dJf3E4JL7hyKq$$d4sf$C8DyWXY47w^qZL z3b0id#txPMwrWmC8=`0N_`>nU(+j76_Bt2|sCM$xYbEh$UO39A6;Rgngti6QaHk@= zJb4$g=O1Auj_orDz4dmvc^Ike@}PByQf;~)&0}aLovGRo$p5L8l-25X!&34FydH+X z8h{KIOAzNS&t6{g#s}dQm)-7Y@<+-7+a?GF|*j|Cg{P z8Rued=QFPvigpZ<5(`B;OFbKk>V(Jy&Ph$u%z90@6)L=%@#UVhlMBZzy61o9g-sB2W!cCKy5t4vq%~-41}4O5dp$P_{9Hh87wk zYIrc*K9r$_T!5~B41e{nknQY&8*bm?m4z!S9R>H^nSpgr+oH0dtQ;?RdS(XK%T)PN z!Fyol;(9rJOcz>0GncoEKCZ?!k8iE1W39P!t#!{@OZ#%~z25cK?&YiZt`=K+zG-xb z_L+0vG;ub^+@;w|b3?O3OUFt=$GTw0`l`@Y5Za)=AvEM&FPS)cx!8KJiUsS=NQ7P? zMuzZ0%_hmC6XU^s#)axFf*wLcu@S&=qUe31aVVh|9!+@ldMl#7uSAXOR^kFFxFktS zGF+li3P8iXH=a_pXeuW6$LRel!AmYl$aBbIrO|x%L9rzI409y|BiKGnP4VR-8Xq;+nqVg}Khz&iP{>z3|v# z<@Z0aa+an|EN!|ti;cFuwj$@=U5U(e7WvR)OA8-Fq5e%QZ60Jo$5$qDV=HMC>PMko z6grGTy%nKXSKi58Sh5#*;<90}bs% zO+OmiS26Ttu07|(&V!FF?S=)tn^@X>nG@XeQ(ss+*Bac5dlvQ-8@e8Iyv@JnY@4?% zHZC-N?ETgX^{)iS+~Dls(n~Xge-k=39h}hhtp(n1qVQ7{H_{)EwG8aF{%Nmmpx5yq D+34@j literal 0 HcmV?d00001 diff --git a/jobfinder/__pycache__/models.cpython-312.pyc b/jobfinder/__pycache__/models.cpython-312.pyc index f07d8fef01d3b707d3a66c2c9815141a73e78ebb..97a191344ebdad720d1fd679c938b1cb24a5f5a8 100644 GIT binary patch delta 453 zcmZ1~G+mhYG%qg~0}vea*pdEfBJUEWBF4$CEY0kUDJ*MPS2IsO%VIfsA0rPp`)VeT zG6sey&dCc|4MAdz?31Hel_tMskp%L%M4>vMs<=})S{R~uCf{b1RtNx!xoI-pVk^zd zEG$jE#gSKJ@&M29L?+9I}&7GF!5K zW?^L2+^o#vz{JQiIfZRKqu68-_6Rm*pcO?blZ)6xB;`R&5fC8+A{1c+@8tXJR|`R0 zKTVb*W*~iw)i*ySHK&Lbrlbf}?=KFU-29Z%oK(9aU7!+1ATHJb5+9fu85!>~2!3JV iVASj|>bK~$_`(2Wei7kfH1AOA*XY#v$^c}7T>${9rFCck delta 385 zcmbO(yi|zyG%qg~0}w29+L69>BJUC=4aUjaSq@I#$H+BVfQf~heKj*knt>sTbMk){ zL!da%SVD_ai$Yd1-r_DO%FInHs*KN0t$djR)Z+#elsBSx3NdCDFO8rDNlaF9wI3RVv2wW zArPSeBX}kUa$L0las4z|ia;T7i`6$jB{ipr6{e&JRqrnjo80`A(wtPgBAv-`oMOuC hjA|W5{T7`TUl@SQFG5_5<{e7?8l4(n8GuZ%r2uG~Wyt^l diff --git a/jobfinder/app.py b/jobfinder/app.py index c063b29..f7248cc 100644 --- a/jobfinder/app.py +++ b/jobfinder/app.py @@ -4,6 +4,7 @@ from instance.config import Config from db import db from datetime import datetime +from sqlalchemy import text # Add this import at the top app = Flask(__name__) app.config.from_object(Config) @@ -18,12 +19,16 @@ def home(): @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': - email = request.form['email'] + username = request.form['username'] password = request.form['password'] - user = User.query.filter_by(email=email).first() - if user and user.password == password: - session['current_user'] = user.id # Store user ID in session + # Vulnerable SQL query - now properly declared as text + query = text(f"SELECT * FROM user WHERE username = '{username}' AND password = '{password}'") + result = db.session.execute(query) + user = result.fetchone() + + if user: + session['current_user'] = user[0] # user[0] is the id flash("Login successful!") return redirect(url_for('main_page')) else: @@ -35,16 +40,17 @@ def login(): @app.route('/signup', methods=['GET', 'POST']) def signup(): if request.method == 'POST': + username = request.form['username'] name = request.form['name'] email = request.form['email'] password = request.form['password'] - existing_user = User.query.filter_by(email=email).first() + existing_user = User.query.filter_by(username=username).first() if existing_user: - flash('Email already exists!') + flash('Username already exists!') return redirect(url_for('signup')) - new_user = User(name=name, email=email, password=password) + new_user = User(username=username, name=name, email=email, password=password) db.session.add(new_user) db.session.commit() diff --git a/jobfinder/create_db.py b/jobfinder/create_db.py index 8fc63f1..fd43547 100644 --- a/jobfinder/create_db.py +++ b/jobfinder/create_db.py @@ -3,9 +3,21 @@ from models import User, Job with app.app_context(): + # Drop all tables and recreate them + db.drop_all() db.create_all() + + # Create a test user + test_user = User( + username='test', + name='Test User', + email='test@example.com', + password='test123' + ) + db.session.add(test_user) + db.session.commit() -print("Database created successfully!") +print("Database created successfully with test user!") diff --git a/jobfinder/instance/site.db b/jobfinder/instance/site.db index 8f36b1ce35698be5b20925cc701f2012d7e702ef..c28aa2ccd5e2b2aed36e240c285d7418e04ab80f 100644 GIT binary patch delta 332 zcmZo@U~E{xI6+#Foq>UY6^LPgZK95`C_95*SvN2L4+a+ALE-cL0Qdp9hl#`m3p9Dm#o3HU2GjdijvWts~GB$@#7UH)ODlJYe%1g{mRS0to za`tcx(y*9Z#cw#-ho5iqY<_{sS^V;oSM$rr!<1?2C~$Fx`gsP1x+-X-<|bz5XmV+) zGf%$AugGQuQp7U(Jij^16$bt*n*{|<@tbKevN4EC%j=e;7MFmqp^w=|_ WP2dHEj{rE3Sb!um5HmqF@B;t`wpcg- delta 309 zcmZozz}V2hI6+#Fg@J(qgkgYbqK>gJ3xi%+H!uGW24>y^4E!AY=Xnoo78LN~6>D;3 zW)~M0W^5@eNleN~&B{*#B9_hNyvB^2E{yErqN0pV*^@W(S@Gv3=B6ryIR-gbhtYRet|4N`U=kte$GIB8J3o6QLItJ&b zm6RtIr7F1QrDx`)rWS?z`X(k8mlS0tXOy_-=cg!m' + return f'' class Job(db.Model): # This defines a "job" table id = db.Column(db.Integer, primary_key=True) diff --git a/jobfinder/templates/login.html b/jobfinder/templates/login.html index 2e72951..794aa50 100644 --- a/jobfinder/templates/login.html +++ b/jobfinder/templates/login.html @@ -25,9 +25,9 @@

JobFinder

- - + +
diff --git a/jobfinder/templates/signup.html b/jobfinder/templates/signup.html index ea6e351..5b2039d 100644 --- a/jobfinder/templates/signup.html +++ b/jobfinder/templates/signup.html @@ -3,34 +3,47 @@ - Sign Up + Sign Up - JobFinder + - -
-
-

Welcome to JobFinder

-

Find your dream job today

+ +
+
+
+

JobFinder

+

Create your account

+
+ + +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ + + + +
+

Already have an account? Login here

+
+
-
- -

Sign Up

- -
-
-

- -
-

- -
-

- - -
- -

Already have an account? Login here

- From 6d64c701d830ed6fe8dbd3f822024443ed4fe25c Mon Sep 17 00:00:00 2001 From: brunotorrijo Date: Mon, 24 Feb 2025 18:22:20 +0100 Subject: [PATCH 2/4] broken access control implementation --- jobfinder/app.py | 27 ++++++++++++++++ jobfinder/instance/site.db | Bin 20480 -> 20480 bytes jobfinder/static/styles.css | 32 ++++++++++++++++++ jobfinder/templates/admin.html | 57 +++++++++++++++++++++++++++++++++ 4 files changed, 116 insertions(+) create mode 100644 jobfinder/templates/admin.html diff --git a/jobfinder/app.py b/jobfinder/app.py index f7248cc..cb435fd 100644 --- a/jobfinder/app.py +++ b/jobfinder/app.py @@ -116,6 +116,33 @@ def post_job(): flash('Job posted successfully!') return redirect(url_for('main_page')) +@app.route('/delete_job/', methods=['GET']) +def delete_job(job_id): + # Vulnerable: No authentication check! + job = Job.query.get(job_id) + if job: + db.session.delete(job) + db.session.commit() + flash('Job deleted successfully!') + return redirect(url_for('main_page')) + +@app.route('/admin_panel') +def admin_panel(): + # Vulnerable: No admin check! + users = User.query.all() + jobs = Job.query.all() + return render_template('admin.html', users=users, jobs=jobs) + +@app.route('/delete_user/') +def delete_user(user_id): + # Vulnerable: No authentication check! + user = User.query.get(user_id) + if user: + db.session.delete(user) + db.session.commit() + flash('User deleted successfully!') + return redirect(url_for('admin_panel')) + if __name__ == '__main__': with app.app_context(): db.create_all() # Ensure tables exist before running diff --git a/jobfinder/instance/site.db b/jobfinder/instance/site.db index c28aa2ccd5e2b2aed36e240c285d7418e04ab80f..e8a193969537968477449d0499e60fef1679f19b 100644 GIT binary patch delta 220 zcmZozz}T>Wae_1>=R_H2M$U~1OZYjM_}4M;U*TW3Sx{gRznTgY8-uvGxOP%eXX9TNfVrLfREJ-ac;bLH5VB){Q zz<-1P4N%P)ei312ZHO9#NlcU9*h{c6@}FSfKe3t1VIRMR86yV+KM?3TrT_uRAcxe7 l#N2|MRFKU^21cg321dF@CJKh;R)(flrY3r3CdQ`5765?hKjZ)a delta 96 zcmZozz}T>Wae_1>`$QRMM)r*fOZeFs`L8hWU)e0EaEgEO6?p?7{|5vA4H^*auW?0RUxX8_56w diff --git a/jobfinder/static/styles.css b/jobfinder/static/styles.css index 587c5c0..abd5d00 100644 --- a/jobfinder/static/styles.css +++ b/jobfinder/static/styles.css @@ -333,4 +333,36 @@ textarea:focus { color: #166534; } +/* Admin panel styles */ +.admin-table { + width: 100%; + border-collapse: collapse; + margin: 20px 0; +} + +.admin-table th, +.admin-table td { + padding: 12px; + text-align: left; + border-bottom: 1px solid var(--gray-light); +} + +.admin-table th { + background-color: var(--primary); + color: white; +} + +.delete-btn { + background-color: #ef4444; + color: white; + padding: 6px 12px; + border-radius: 4px; + text-decoration: none; + font-size: 14px; +} + +.delete-btn:hover { + background-color: #dc2626; +} + diff --git a/jobfinder/templates/admin.html b/jobfinder/templates/admin.html new file mode 100644 index 0000000..d76f676 --- /dev/null +++ b/jobfinder/templates/admin.html @@ -0,0 +1,57 @@ + + + + + + Admin Panel - JobFinder + + + + +
+

Admin Panel

+ +

Users

+ + + + + + + + {% for user in users %} + + + + + + + {% endfor %} +
IDUsernameEmailActions
{{ user.id }}{{ user.username }}{{ user.email }} + Delete +
+ +

Jobs

+ + + + + + + + + {% for job in jobs %} + + + + + + + + {% endfor %} +
IDTitleCompanyPosted ByActions
{{ job.id }}{{ job.title }}{{ job.company }}{{ job.posted_by }} + Delete +
+
+ + From cdf2c709aad94349231dc32cb746bc845eb4143f Mon Sep 17 00:00:00 2001 From: brunotorrijo Date: Mon, 24 Feb 2025 18:48:01 +0100 Subject: [PATCH 3/4] cryptographic failure, insecure design, identification and authentication failures vulnerabilities implemented --- jobfinder/__pycache__/app.cpython-311.pyc | Bin 7874 -> 13246 bytes jobfinder/__pycache__/db.cpython-311.pyc | Bin 0 -> 319 bytes jobfinder/__pycache__/models.cpython-311.pyc | Bin 0 -> 2594 bytes jobfinder/__pycache__/models.cpython-312.pyc | Bin 2455 -> 2576 bytes jobfinder/app.py | 76 ++++++++++++++++-- jobfinder/create_db.py | 4 +- .../__pycache__/config.cpython-311.pyc | Bin 0 -> 578 bytes jobfinder/instance/site.db | Bin 20480 -> 20480 bytes jobfinder/models.py | 1 + jobfinder/static/styles.css | 13 +++ jobfinder/templates/forgot_password.html | 40 +++++++++ jobfinder/templates/login.html | 1 + jobfinder/templates/reset_password.html | 36 +++++++++ jobfinder/templates/security_question.html | 42 ++++++++++ jobfinder/templates/signup.html | 12 +++ 15 files changed, 217 insertions(+), 8 deletions(-) create mode 100644 jobfinder/__pycache__/db.cpython-311.pyc create mode 100644 jobfinder/__pycache__/models.cpython-311.pyc create mode 100644 jobfinder/instance/__pycache__/config.cpython-311.pyc create mode 100644 jobfinder/templates/forgot_password.html create mode 100644 jobfinder/templates/reset_password.html create mode 100644 jobfinder/templates/security_question.html diff --git a/jobfinder/__pycache__/app.cpython-311.pyc b/jobfinder/__pycache__/app.cpython-311.pyc index 7cc958bdf16e132632572a2d249374557798584f..6301d91361f10f4b9e423db45326f1e5cd74bc91 100644 GIT binary patch literal 13246 zcmeHNTWlLwdY&PN-~@yvKK-WhMkH{&BQk1I`Q>SpTHdw1HOVP=>NJHx8aRJuMB zmoOe6)i1bS z241+J23%U=f)z44YRU-JkkL>fBU)2NV+|SM3K^X>WjJPmYp$rm>>c(o< zg%KnxMlez#Azo8L8^>0W&|V>7Urh-ej`l|@>h7;ux6@I#tDudjLQf4lx1Ae=+%Z9elL;Zmrd=XpVKU(VfvBJa6ec0RQLcP1nfd@BS-~KI--w>jKgaol@+;gP8Z$ebW^~y=~>30O6w4Kxbbe*VK&u!@=2LiHZzh+PMwcEa)a_h`7uw|YeMLr&45P@f92`Nx5s4nzVZwhiwJ{|(^`NF6ndwDLuSE3< z*vPDS$J7oh?y1Qe3ib9|*Kfe|`ZBzDJICd1vx`SSo!$39YhZTaQBT&{)pY79DKIt; z)26sg^YxIh&i5i%a4prS={9Q?Eo(-vML6u8ecp?B8Y_}rgCCM&&}8AL0`UpKc?u*@ z?{kk`-b0rdGIiQ5>7vWBt-C;^dxrbcc5Q>dyni-pkG$0jJ@;~Qdv8v{RyPTEG?*amL>wzLKGMj z8Y^Ztnc)?BDVfjT%L&{{@Ab*6ljm;42jdssdFxsnbHv}hIQh<`dW)Ikr{eu9js5Yn z)92%QHJtYY*)QM~D1?EmG+f0x9?vh&%>fY3FQ@kjO*p^pQub~#o#NuEO2p>?Kmj6B z$#h<5#^ruBfAqGPNhd-AUV(~N(-egQc+Duj+W@cW)GfuG;f^R?K0BA=c%|+(f1gV& z0457~#Ryn~HF)vy_W>3FwCQeuc7d@HTn-;qM=!8=DvIn2>!jFEZ;P9 za)?JEe$BJf5PsIa-O#<&&|RFA8wOFs;F`A-Y<}|L;}7Lv90lWR)YnXKkMP!wmih)a z$A7!Z{L=9+A=NrqX7P8Ar)ln@1*!CKzcBck5 z*-;IKTu+N8@>%c;kVa>K{}vv~R60Nyi#7aFbo7`t|C`X!U8Buj^UV(_5ijp@TEwea zO+^DA^&I@aK)m$X5uiGHIxx{w@CZYqWj_Tzmu=?-=wvp@hJQ|UwATZ4vfzJ#D3AqL z!CjzU`d@&GeQwyChh7nbR5>jgb&3{?pqD}~z4o_2>#EmoFzc9i_P#@1YriW|xmLe_ z43&G$H*z&mS;ZlRQeoM{gVU7OKq)Yvyqg2>hM%3wrE|h(q{_Gw!A_D2%gMCBC%Ff4 z{(dSi=JzRHO%ruw8-jAjMDFMLQ0lg+nyOSKJc;|ANOiI)c z*{30Lm3AxjY9CYC1fn4J-H+FufCOSubo{K*8=c zYA4kCjNNz_g?a&Oe-eD}w8cM-N_|IB+p)F4ZY27te>*a~6&e2GwgmoSLCA50LHJo zG0FeeHzo$`0kj*SQ8czdFx^J7LMlg^+G~dlaFki23bAOI1|#VQ(_td002}=$?OA#PUq&5BJA@OhU4>dLTU*=0Or04!i5u< zoW$f55T$M@mj{#uIQ$_3`~SH1=m6a&;9OBR%NpcDAOLo%`9y>2&I))6EWWFOwN7Bh zQ>wU9oaPB1!L^QJf|r}(PNvg3$PVM&YOQs{YlSmVT8XN-jjB6;0T=rCG9nqNfo87YvJ16dTvuDMmm0fQ@*|Qf|qzg0QQjwprcRC|<4I0-o8M zaOJV#1e-}QkFGoo6e*eNMHCKgyei;PH-?w?EG(ev{a*!{wfk@H#UEiJEdDU(h*zl* zDpR>v>h%U|O6RGnY!ozGaEzBxQ4MVg7l9=SSN;tkFl?`>6nGt-mYE^M3`x|GIvuu= z!#z<~PWpe*xN_FL6(Jgi%W8lf#;`h%-56Hqscj4m^YBL*drGwI1k7EC8DkQ0IHH^u zjVO}ctijI83wsv0wDiy;8mCG&16$QZRxz;EYg=}E`kS2Q3^2kP^Qqjc)iSUSQ*75g z&=S7|L8_UFgtuC*FaZq(lL(uNSsL2g5xZ}7awpKd zp58c)0==tK+9u*M3ihvF+)+)}L)193dZnh_^VgRG;Zmrz)X-LHij^8$o(=9aMW4MT zH}#^X-o1JsLh=U1F)~iO#`TDz~RqF#yCFB!(;(ukDW|q#W&$*HpNZMSsiM_elGIMaX?U%j>^SC?2tTP!Z3^RxscTd=|EWdGP{ z3E10}w#(qzX`|`fPh+{yb^s0Te+K5esM#_IVyXxdL(Jujff=WuBWHfokRHqS+> zuRKRxQnY#nBu4(1t`}fiKZi?8s^7HYSNoy51E0ARj~WA3-C=O`o9$@F80%SI6!1t6((FHdeRe|cD9&dAIe#GH|+ zGn#|hu4^oAn5MG$?*DZbhL-rLI@^weXf>1;PZ}t#IpyjO%urfk8p>;Etgk#H0yabT zWl>gH%pklArGJe%44q{|+7@Y}UuO0rX8-E>l8?bUJ8aR;jUJhfAvz|}F-xvpX9s0^ z2+>0lJ*4UEHMwaJH4WN5&6Us?oUAP5L~voXQ=sa4d*&6W&ynRI$*KrF(UT?SZjaqt z_4mhcpLpr;-CysN5$wxQfi%N7){{hz!kcpIDzSQdoFnjIw_Fgvwnm35PAzwbio>jjufKb9pBVLYXtFbIl%t7YTdJQ^WDEt|4e*#y24Tv?QiZ}0; zldqj%cztC%*u53(-h59AcFVz|D0p-`cycRvQVvd_;6(YHimDqZ^$h&>8k|yHmDzo2 z@KfqJCP&{u(KqDqaTGo-vB%YOsXm$QM{K{u_QMI3)KQKg7+degv5G;gzMePK^~~8$ ziSCl{t%P9-V2xP(<{z{EHmhW;Y9oC3v8~*YYuho^2tgJtdn6d|a)-&3Py2MuSK(l#{q3^j5?5EQC8AzF#0=Y4v<3xDS{%X) z@7L_$Yd}E{X2#=SIq!_)N7W%zBkYs-5d*dsVRs3CiSH}W;xBM6CjS6eIri{V(W15M zS)n+MS`V$U7DM|QXyK_F-HCR8dS#Q{9yqZza6%q9g$7Q^(Fqit*p6P@io&tuWfZ-< zc7FZZ4jWj%yv=rQv7Is-Lu^c9V>=N1xU#_(Ihh?o?2yC`sfU-NGCPLYF^L_k`NfFT zaX@Cq5i>4P<0{-J^z5wqY2YmWD$c|4x0V+YgW6}5cLcns)N#~&8*{GI0me|SgzyKK zcV_b+q?6i5mVzH=do%D|5PVgn0y>Lxf~jm?OlIf!(K+?2O95+{HgRfr$!`&XRYyJC z#?8at*X%5unk+5hBWnD`rozk%xy)?t7XHpqp;OtEIE#xt0tEfFj|jC>BlQ5f2}`?x z$wf@AV)8a7H!#8ezh>uD3xd~#!hkS1=+EMBKo!4sJUDpmWHi2aiNS0WlD`>#ZFO7>rg=#cEc z5)oKc|GxGztNhxrvO9%T2-w6p(M+ge#}s1#jv#Vm&lM&U zdjt^7K5FC)>iowymW%TnIm{2GqkFD4a&V6Tg89dcoTEDbv5lV>FKoPp`G*lXjO8D~ z@(*Etcw;%olrNLbh-}_-xp1?AV7?Y3ht}nukjYj=w&Ly$IS0y8C8qZa&*nYMehiVv_FO*94g|BmVdOOGjhK+hc0{)CxhV21 zxkq4%IXlce){xvUlLLqxz%rr1KrkmXs+^y!4;t6<(&Nl z#jdSvx!WXnTd9tH5_=qz>)KIWJ3i2auQY&^=;k%odi}41>%p}ks8~5$E&B#Dd}pwl zl^l29fB(HBM}7R7@_jt@(bUtP)hQ#03$b1J?fD3*9om$~=iR?Q5W2*=zhbFNA>UVF H66k*dBQs-4 delta 1632 zcmZ`(O>7%Q6rS1j+PnVSwbyHV{S&*XiL!ALr<6dOHj<0L&4s8UiKt42<+9t*kl5AO z5eHnUphBaF1L@z{zcyIQaLB@zx{eXLOIO=2gsjkl)_H4$ z;Y(3ndmK$gIw>o(pMa4SYD5_fJ{S%}P3Z<&r`Wq4Ji4HF0LPH&Ha(_yp4;%Pa}+~Y z+f08CE7rx54`C@itaukIa0n~d!%B2m1~Q-0!wmJHlU-doCoq#}P(!Z1Tbp$os+~MyAdlxaTnVP@|vWQpk*L#P^?z z;b!b*B)~7M@_*wT_%q?=ec>X;K9F7S;ol(F7l(XC!oPsxi@=XAKQz4=?1HkGg?D2b z6vQxmD{3^urcI9n|A?Aue_DHE6i?Hj7J%R5F$JTVx;I{y)L>f5;s7Xe(zic9A!lLa z881ARz7BbbK*25Nl2v=FVzwNYD`W|Na9?#YN_7V&22zq5`{Z=Py{%?p)$_C4Neet( ze|-pRt^wTNb@nL;_>OSbcqnIb*a@Fzj=LOn2g%lCI5!*vZz>Kqhh=yu1twjz!=BYq z9oM-!zagzV=r>AN+pY<fGC zeA6UB`;ioNEl0VuWVHlqsdQzLq-n;0`?3*q*i|yba9QTk@TWW;k!{6DKg%3tjvb5) zz^lrcptG0qxspsX$ltZjc65jNyzY2|^$twq;%s;e22=+=$+DJb3y0sh`xj zEp={Nom&xiM0ay5aGh74V;#nsd!D%$prl>I1As@=DKAa5xGN^{vr3M+G3G>;=Sz!= zgeh#e2-}=I-N*(lR4$PT(8GOrvUwu>2n%_do@s`o&tl<48lG>yqCeu!9>6u62X!PT zSX+--s#(RWm1@m0$w`_aYMd^~ys^ju!EXTuIg^31X8k^+2` zJEguxL-yOQeno#2yFAADS9p@k-5PU(JVs!3ta>(xja@|DA3WklxADj>$1;P66K?A7 z>nkU3FE=jVu3Xo*Fs+WV>JY;ZF?{a-%pkmU>OlWaxQE^OCNq$jLjDKFLOHpQ7YK%*2adt_5L5y>7Ok`?eQM^%%bAE0? zX-R5Pd~j-VX;EfLWlTU(epYI72~dqLOi~vnsSA_L%1=tm%u7ivib+Y*E2#X%VUwGm uQks)$SHuZ)03#3=gM9jdnURt427~$qRP=zAzagqIrX{9<2?UGSfl2{4{aRB1 literal 0 HcmV?d00001 diff --git a/jobfinder/__pycache__/models.cpython-311.pyc b/jobfinder/__pycache__/models.cpython-311.pyc new file mode 100644 index 0000000000000000000000000000000000000000..062beca4b71b2d60b4a04ecc7e51aa276933cfde GIT binary patch literal 2594 zcmchY%}*Og6u@`wweiPdgBvHIX;Mm*3P*xQ)Cq1BasWe0QE5~NQjnFE?VX?{>s@Dd zoyJxo`4CkcI5?7}7}b$DRH;#@#4(5b5o^f@YcDXa}OomxzSjNHJVnoL?MsyNp zm2Ek^ax%t8#GpJAC73}Kd8k-^Z! zxe5u}4fK{BB)RQ)<$y$>+ilt1X>E;qTC<|_6-0jBE<$8QZrjyWis!@#?yd;jc28FZ z-v8+D`&a(QRp37{g6E?Z@S^t_v)n8C;A8ns?v6(2;udTAvsB6?XXRXn%kxw*Q*m&{}AHpfpy#UW*#u zD|PRchWAQwvKc(PM%VL|fl8=4usODIzIwith_TSMu&W}VylNQj;WTZ!D;b<4xsia zigPGFLvabkmmo}!tfrH?q$(!2NFM8^UnE+ZN?GfbZ$_m=T2bam-t=ZwO(&v|0n>!W}PohuEMBbCYOEdWa>S`S4Vp=fcg**8#fl)aTm zWvCk2oZ1+zj@CwML)#;7`1^WJMZ8H5v=d;Io kS>W1H0X&Vp!}sq$OrG|!kl<0VHncwc4&T2&X3{F*Z~GQLcK`qY literal 0 HcmV?d00001 diff --git a/jobfinder/__pycache__/models.cpython-312.pyc b/jobfinder/__pycache__/models.cpython-312.pyc index 97a191344ebdad720d1fd679c938b1cb24a5f5a8..291a9f0414e2dc4a70bbecbcaf98986b9ebbd2ec 100644 GIT binary patch delta 459 zcmbO(JVAu-G%qg~0}#AeyC+?fWg_2Vrd^Dax3e@)He-A_`9F&xBgf?ZjH28;DV!|~ zQM{F0n%t8$nQWL|icC&o`o_pTIg(k0k#BMxv%8M~(3D#o1&PJQ<@rS^w^;HLb5n1z zrsgJQ=G@{-ODxMT$}CBZPtMQDFDeoNs$I!YBnqU8gh2!=j9>;biq}qNWa(GFAu2Z^ zXnN$t$QhM0iso0&tXv^9yLLnA6;ay;zt1d;teQolo2RpEWwPQ2>d|Dn#afbCl9PIi zJvl$OATh79NDyQcBal#l*a5P%ipMKINiROWD7By{K3;rs8@q-X$Q6E?LPcUgx=0*E zNPq~CONt~xgcOL71`#qKLKQ@)O@6}eF9$NRND)LJyrK-^f(X9JfgBfX!4e>@pC${~ z%v-F!`6;P65HEujqZ;sw!zMRBr8Fniu1J4!9H*EvC!=PEQNKl}#TN!3^NSc4qj`r? OzecCVR|X&xY%>5WM{p(p delta 403 zcmbOrGF_POG%qg~0}vea*pdEt}jnXLGLa+*xHSW7ZXa#C-xC+FuD zB<58X34pXP0tp3(Ss=r!c)aqH^y1@-QVWXWLIEVn* zSR?@=Bte7}h>!*m${<2zax90x9LUHbc@TkcvLc8JB6ugC;<&&DmQb9$fKws@EQ6~0 z7l%!5eoARhs$G#TPz%Vl#Tr2312ZEd<6Q>9FDx94njJ>{7M&Jf7=X+#B3z8-9ZLNg Mof=;mfK0Hx09_S5Z+DV549CM2@0Zuhbpz`MJOV~G-|DFwTXv@g{94IOSDbuCKW0O9(;$M zy(r=f=v#O!x%vW?dh+BZH6rNj?#wsew=)d$kVwP;x4Yfv#tV;cK@yqt4Tg&x^nd{N z0RgvwzG8e>G_Rb&3R;@EYo z;ZNw)_42fPHRE11Esti>>9ot^I;rgyljHs*#&)$uG4^8^w;a-G1~`uKMW@<~6irpi zs*dw&#h=wqj^rcdKrK{oR@UWRSyS<8Ip;6@67;gHt&F$qBSWae}m<2m=EHD-go~*F+s-Q4t2cvTk1f9}FzKRt$Vi{O9?X@mg(cJjSy* zk=KKft4WcOU0hU@u|;+AX1-nGX^Ca|MVTe3@yYo)`9%t0jzP{IjzJoeWBFIIl`!yc z<1g7PD3HNl@4&>)AnYrwE}2xCVVGoTY?5eTU}2JEo@QijY?)|jkz#IXYGG<_XlQ6; z0#pJ-4(YjxnK^pN`MCw9MFlyj9*pb^qQ3IFq9v)tCCSMK#;N8e=80yBX-P@RNof{I zspe*87KzDesY$7+rXfHz3ZccRMIglvsTGomxj-X8h9%{crg8y2%*6kJf&T;lkIjM# zcljpg+HAgQP{FCXD}BLgE-T>~RsBNGKfb1NfbD^o)~Q*#4LW7Eke{4D^Q Co@-M8 delta 268 zcmZozz}T>Wae}lUCj$cmD-go~+e95>QBDTEvTk1f9}FzKi41%z`Oot&<4xQwDDakN zvlXugBUfV;BfGe$C}VT@' diff --git a/jobfinder/static/styles.css b/jobfinder/static/styles.css index abd5d00..49838ea 100644 --- a/jobfinder/static/styles.css +++ b/jobfinder/static/styles.css @@ -365,4 +365,17 @@ textarea:focus { background-color: #dc2626; } +.forgot-password { + display: block; + text-align: right; + font-size: 0.9rem; + color: var(--primary); + text-decoration: none; + margin-top: 0.5rem; +} + +.forgot-password:hover { + color: var(--primary-dark); +} + diff --git a/jobfinder/templates/forgot_password.html b/jobfinder/templates/forgot_password.html new file mode 100644 index 0000000..9d19bf8 --- /dev/null +++ b/jobfinder/templates/forgot_password.html @@ -0,0 +1,40 @@ + + + + + + Forgot Password - JobFinder + + + + +
+
+
+

Forgot Password

+

Enter your username to reset your password

+
+ + {% with messages = get_flashed_messages() %} + {% if messages %} + {% for message in messages %} +
{{ message }}
+ {% endfor %} + {% endif %} + {% endwith %} + +
+
+ + +
+ +
+ +
+

Back to Login

+
+
+
+ + diff --git a/jobfinder/templates/login.html b/jobfinder/templates/login.html index 794aa50..93849dc 100644 --- a/jobfinder/templates/login.html +++ b/jobfinder/templates/login.html @@ -34,6 +34,7 @@

JobFinder

+ Forgot Password?
diff --git a/jobfinder/templates/reset_password.html b/jobfinder/templates/reset_password.html new file mode 100644 index 0000000..fc06a94 --- /dev/null +++ b/jobfinder/templates/reset_password.html @@ -0,0 +1,36 @@ + + + + + + Reset Password - JobFinder + + + + +
+
+
+

Reset Password

+

Enter your new password

+
+ + {% with messages = get_flashed_messages() %} + {% if messages %} + {% for message in messages %} +
{{ message }}
+ {% endfor %} + {% endif %} + {% endwith %} + +
+
+ + +
+ +
+
+
+ + diff --git a/jobfinder/templates/security_question.html b/jobfinder/templates/security_question.html new file mode 100644 index 0000000..56b83d3 --- /dev/null +++ b/jobfinder/templates/security_question.html @@ -0,0 +1,42 @@ + + + + + + Security Question - JobFinder + + + + +
+
+
+

Security Question

+

What is your favorite color?

+
+ + {% with messages = get_flashed_messages() %} + {% if messages %} + {% for message in messages %} +
{{ message }}
+ {% endfor %} + {% endif %} + {% endwith %} + +
+
+ +
+ +
+
+
+ + diff --git a/jobfinder/templates/signup.html b/jobfinder/templates/signup.html index 5b2039d..bcca9f9 100644 --- a/jobfinder/templates/signup.html +++ b/jobfinder/templates/signup.html @@ -36,6 +36,18 @@

JobFinder

+
+ + +
+ From 0f68eca53a910a2b0e6032a5d71e33bdbebba3e6 Mon Sep 17 00:00:00 2001 From: brunotorrijo Date: Sun, 9 Mar 2025 13:26:15 +0100 Subject: [PATCH 4/4] fixed sql injection not working --- jobfinder/__pycache__/models.cpython-312.pyc | Bin 2576 -> 2576 bytes jobfinder/app.py | 11 +++++++---- .../__pycache__/config.cpython-312.pyc | Bin 514 -> 514 bytes jobfinder/instance/site.db | Bin 20480 -> 20480 bytes 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/jobfinder/__pycache__/models.cpython-312.pyc b/jobfinder/__pycache__/models.cpython-312.pyc index 291a9f0414e2dc4a70bbecbcaf98986b9ebbd2ec..cec89095b2adef11980cd18b9e614f96470a6cfe 100644 GIT binary patch delta 20 acmbOrGC_pWae_3X=tLQ3M$wH4OZd5%`PCTsxAB+ot8Eq(kl^?8VP0fu^rNL6Ek!4 zlJj#5N{b3|QYV+lPXJo+jDi0H{}29Wn*|ka@N;o8i!*{vXP*2)Uj!(9oPqxq{~P|} XKWae_3X$V3@uMv;vPOZYjM_)8f0xAB*37F5XKpIjn80Vwi;f&T;l51`0Z e{)qwnlRxN-00nO`@ZaKp0~9>RzxkHEng9Thrx@7)