From a108845ecfcf657874ca9004147374c4b9c9530c Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 06:46:30 +0800 Subject: [PATCH 1/4] Patched sqli/dao/student.py --- sqli/dao/student.py | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/sqli/dao/student.py b/sqli/dao/student.py index d41ef885..c99aad12 100644 --- a/sqli/dao/student.py +++ b/sqli/dao/student.py @@ -1,8 +1,6 @@ from typing import Optional, NamedTuple - from aiopg.connection import Connection - class Student(NamedTuple): id: int name: str @@ -14,23 +12,19 @@ def from_raw(cls, raw: tuple): @staticmethod async def get(conn: Connection, id_: int): async with conn.cursor() as cur: - await cur.execute( - 'SELECT id, name FROM students WHERE id = %s', - (id_,), - ) + await cur.execute('SELECT id, name FROM students WHERE id = %s', (id_,)) r = await cur.fetchone() return Student.from_raw(r) @staticmethod - async def get_many(conn: Connection, limit: Optional[int] = None, - offset: Optional[int] = None): + async def get_many(conn: Connection, limit: Optional[int] = None, offset: Optional[int] = None): q = 'SELECT id, name FROM students' params = {} if limit is not None: - q += ' LIMIT + %(limit)s ' + q += ' LIMIT %s' params['limit'] = limit if offset is not None: - q += ' OFFSET + %(offset)s ' + q += ' OFFSET %s' params['offset'] = offset async with conn.cursor() as cur: await cur.execute(q, params) @@ -39,9 +33,6 @@ async def get_many(conn: Connection, limit: Optional[int] = None, @staticmethod async def create(conn: Connection, name: str): - q = ("INSERT INTO students (name) " - "VALUES ('%(name)s')" % {'name': name}) + q = "INSERT INTO students (name) VALUES (%s)" async with conn.cursor() as cur: - await cur.execute(q) - - + await cur.execute(q, (name,)) From cf1db008f12bfb15327a0725ad5cacf64f1a7bfa Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 06:46:30 +0800 Subject: [PATCH 2/4] Patched sqli/dao/user.py --- sqli/dao/user.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/sqli/dao/user.py b/sqli/dao/user.py index c663ddc3..cafa66cb 100644 --- a/sqli/dao/user.py +++ b/sqli/dao/user.py @@ -1,9 +1,7 @@ -from hashlib import md5 +from hashlib import scrypt from typing import NamedTuple, Optional - from aiopg import Connection - class User(NamedTuple): id: int first_name: str @@ -38,4 +36,5 @@ async def get_by_username(conn: Connection, username: str): return User.from_raw(await cur.fetchone()) def check_password(self, password: str): - return self.pwd_hash == md5(password.encode('utf-8')).hexdigest() + salt = self.pwd_hash.split('$')[1] + return scrypt(password.encode('utf-8'), salt.encode('utf-8'), 8192).hexdigest() == self.pwd_hash.split('$')[2] From df0deed3a8158155f53d68b7067d735114ea61ba Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 06:46:30 +0800 Subject: [PATCH 3/4] Patched sqli/static/js/materialize.js --- sqli/static/js/materialize.js | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/sqli/static/js/materialize.js b/sqli/static/js/materialize.js index bbd91bea..ea7eaa92 100644 --- a/sqli/static/js/materialize.js +++ b/sqli/static/js/materialize.js @@ -562,7 +562,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }, addClass: function (e, t) { e.classList ? e.classList.add(t) : e.className += (e.className.length ? " " : "") + t; }, removeClass: function (e, t) { - e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(new RegExp("(^|\\s)" + t.split(" ").join("|") + "(\\s|$)", "gi"), " "); + e.classList ? e.classList.remove(t) : e.className = e.className.toString().replace(/(^|\s)/gims, " ").replace(new RegExp(t.split(" ").join("|"), "gi"), " "); } }, getPropertyValue: function (e, r, n, o) { function s(e, r) { function n() { @@ -642,7 +642,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly }), b.CSS.setPropertyValue(u, "position", e.position), b.CSS.setPropertyValue(u, "fontSize", e.fontSize), b.CSS.setPropertyValue(u, "boxSizing", "content-box"), f.each(["minWidth", "maxWidth", "width", "minHeight", "maxHeight", "height"], function (e, t) { b.CSS.setPropertyValue(u, t, s + "%"); }), b.CSS.setPropertyValue(u, "paddingLeft", s + "em"), l.percentToPxWidth = L.lastPercentToPxWidth = (parseFloat(S.getPropertyValue(u, "width", null, !0)) || 1) / s, l.percentToPxHeight = L.lastPercentToPxHeight = (parseFloat(S.getPropertyValue(u, "height", null, !0)) || 1) / s, l.emToPx = L.lastEmToPx = (parseFloat(S.getPropertyValue(u, "paddingLeft")) || 1) / s, e.myParent.removeChild(u); - }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log("Unit ratios: " + JSON.stringify(l), o), l; + }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log(`Unit ratios: ${JSON.stringify(l)}`, o), l; }if (s.begin && 0 === V) try { s.begin.call(g, g); } catch (x) { @@ -696,7 +696,7 @@ jQuery.Velocity ? console.log("Velocity is already loaded. You may be needlessly q = M + q;break;case "-": q = M - q;break;case "*": q = M * q;break;case "/": - q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (" + z + "): " + JSON.stringify(l[z]), o); + q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log(`tweensContainer (${z}): ${JSON.stringify(l[z])}`, o); } else b.debug && console.log("Skipping [" + I + "] due to a lack of browser support."); }l.element = o; }l.element && (S.Values.addClass(o, "velocity-animating"), R.push(l), "" === s.queue && (i(o).tweensContainer = l, i(o).opts = s), i(o).isAnimating = !0, V === w - 1 ? (b.State.calls.push([R, g, s, null, k.resolver]), b.State.isTicking === !1 && (b.State.isTicking = !0, c())) : V++); @@ -3441,7 +3441,7 @@ if (jQuery) { // Insert as text; } else { - toast.innerHTML = this.message; + toast.textContent = this.message; } // Append toasft From 1ecc559c8aa63241b624a769762ed52bb6aff651 Mon Sep 17 00:00:00 2001 From: "patched.codes[bot]" <298395+patched.codes[bot]@users.noreply.github.com> Date: Wed, 8 May 2024 06:46:31 +0800 Subject: [PATCH 4/4] Patched docker-compose.yml --- docker-compose.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 1b3e2a84..032a9b33 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,24 +1,25 @@ -version: '3.3' - services: postgres: build: context: . dockerfile: Dockerfile.db ports: - - 5432:5432 + - 54:54 redis: image: redis:alpine + security_opt: + - no-new-privileges=true + read_only: true sqli: build: context: . dockerfile: Dockerfile.app depends_on: - - postgres - - redis + - postgres + - redis ports: - - 8080:8080 - command: | - wait-for postgres:5432 -- python run.py + - 80:80 + command: | + wait-for postgres:54 -- python run.py