Merge pull request #34 from CompassSecurity/dev

fxai · web-flow · commit 851619ade0bd · 2025-08-15T10:14:00.000+02:00
Fixes after internal Pentest
diff --git a/blueprints/assessment_utils.py b/blueprints/assessment_utils.py
@@ -197,7 +197,7 @@ def assessmenthexagons(id):
                 cumulatedscore += testcase.testcasescore
                 count += 1
 
-        if count is not 0:
+        if count != 0:
             score = cumulatedscore / count
 
             if score == 100:
diff --git a/blueprints/testcase.py b/blueprints/testcase.py
diff --git a/blueprints/testcase_utils.py b/blueprints/testcase_utils.py
@@ -1,9 +1,9 @@
 import os
 import shutil
 from model import *
-from utils import user_assigned_assessment
+from utils import *
 from werkzeug.utils import secure_filename
-from flask import Blueprint, request, send_from_directory, jsonify
+from flask import Blueprint, request, send_from_directory, jsonify, make_response
 from flask_security import auth_required, roles_accepted, current_user
 
 blueprint_testcase_utils = Blueprint('blueprint_testcase_utils', __name__)
@@ -12,88 +12,117 @@
 @auth_required()
 @roles_accepted('Admin', 'Red')
 @user_assigned_assessment
-def testcasevisibility(id):
-    newcase = TestCase.objects(id=id).first()
-    newcase.visible = not newcase.visible
-    newcase.save()
-        
-    return jsonify(newcase.to_json()), 200
+def toggle_visibility_flag(id):
+    testcase = get_testcase_by_id(id)
+    if not testcase:
+        return "Test case not found", 404
+
+    testcase.visible = not testcase.visible
+    testcase.save()
+    return jsonify(testcase.to_json()), 200
+
 
 @blueprint_testcase_utils.route('/testcase/<id>/clone', methods = ['POST'])
 @auth_required()
 @roles_accepted('Admin', 'Red')
 @user_assigned_assessment
-def testcaseclone(id):
-    orig = TestCase.objects(id=id).first()
-    newcase = TestCase()
-    copy = ["name", "assessmentid", "objective", "requirements", "actions", "rednotes", "mitreid", "tactic", "tools", "tags", "expectedprevention", "expectedalertcreation", "expectedincidentcreation", "expectedseverity" , "priorityurgency"]
-    for field in copy:
-        newcase[field] = orig[field]
-    newcase.name = orig["name"] + " (Copy)"
-    newcase.save()
+def clone_testcase(id):
+    orig = get_testcase_by_id(id)
+    if not orig:
+        return "Test case not found", 404
 
+    fields_to_copy = [
+        "name", "assessmentid", "objective", "requirements", "actions", "rednotes",
+        "mitreid", "tactic", "tools", "tags", "expectedprevention",
+        "expectedalertcreation", "expectedincidentcreation", "expectedseverity", "priorityurgency"
+    ]
+    newcase = TestCase(**{field: orig[field] for field in fields_to_copy})
+    newcase.name = f"{orig['name']} (Copy)"
+    newcase.save()
     return jsonify(newcase.to_json()), 200
 
+
 @blueprint_testcase_utils.route('/testcase/<id>/toggle-delete', methods = ['POST'])
 @auth_required()
 @roles_accepted('Admin', 'Red')
 @user_assigned_assessment
-def testcasedeleted(id):
-    newcase = TestCase.objects(id=id).first()
-    newcase.deleted = not newcase.deleted
-    newcase.save()
-        
+def toggle_delete_flag(id):
+    testcase = get_testcase_by_id(id)
+    if not testcase:
+        return "Test case not found", 404
+
+    testcase.deleted = not testcase.deleted
+    testcase.save()
     return "", 200
 
+
 @blueprint_testcase_utils.route('/testcase/<id>/delete', methods = ['POST'])
 @auth_required()
 @roles_accepted('Admin')
 @user_assigned_assessment
-def testcasedelete(id):
-    testcase = TestCase.objects(id=id).first()
+def delete_testcase(id):
+    testcase = get_testcase_by_id(id)
+    if not testcase:
+        return "Test case not found", 404
+
     assessment = Assessment.objects(id=testcase.assessmentid).first()
     if os.path.exists(f"files/{str(assessment.id)}/{str(testcase.id)}"):
         shutil.rmtree(f"files/{str(assessment.id)}/{str(testcase.id)}")
     testcase.delete()
 
-    return "", 200
+    return "Test case deleted", 200
+
 
 @blueprint_testcase_utils.route('/testcase/<id>/evidence/<colour>/<file>', methods = ['DELETE'])
 @auth_required()
 @roles_accepted('Admin', 'Red', 'Blue')
 @user_assigned_assessment
-def deletefile(id, colour, file):
-    if colour not in ["red", "blue"]:
-        return 401
+def delete_file(id, colour, file):
+    VALID_COLOURS = {'red', 'blue'}
+
+    if colour not in VALID_COLOURS:
+        return "Invalid colour", 400
     if colour == "red" and current_user.has_role("Blue"):
-        return 403
+        return "Invalid colour", 400
     
-    testcase = TestCase.objects(id=id).first()
-    # Sanity check to prevent death if the image has already been removed
-    path = f"files/{testcase.assessmentid}/{testcase.id}/{secure_filename(file)}"
-    if os.path.isfile(path):
-        os.remove(path)
-
-    files = []
-    for f in testcase["redfiles" if colour == "red" else "bluefiles"]:
-        if f.name != file:
-            files.append(f)
-            
-    if colour == "red":
-        testcase.update(set__redfiles=files)
-    else:
-        testcase.update(set__bluefiles=files)
-
-    return '', 204
-
-@blueprint_testcase_utils.route('/testcase/<id>/evidence/<file>', methods = ['GET'])
+    testcase = get_testcase_by_id(id)
+    if not testcase:
+        return "Test case not found", 404
+
+    filepath = f"files/{testcase.assessmentid}/{testcase.id}/{secure_filename(file)}"
+    if os.path.isfile(filepath):
+        os.remove(filepath)
+
+    filelist = testcase.redfiles if colour == "red" else testcase.bluefiles
+    updated_files = [f for f in filelist if f.name != file]
+
+    update_field = 'redfiles' if colour == "red" else 'bluefiles'
+    testcase.update(**{f"set__{update_field}": updated_files})
+
+    return "", 204
+
+
+@blueprint_testcase_utils.route('/testcase/<id>/evidence/<file>', methods=['GET'])
 @auth_required()
 @user_assigned_assessment
-def fetchFile(id, file):
-    testcase = TestCase.objects(id=id).first()
-    
-    return send_from_directory(
-        'files',
-        f"{testcase.assessmentid}/{str(testcase.id)}/{secure_filename(file)}",
-        as_attachment = True if "download" in request.args else False
-    )
+def fetch_file(id, file):
+    ALLOWED_INLINE_EXTENSIONS = {'.png', '.jpg', '.jpeg'}
+
+    testcase = get_testcase_by_id(id)
+    if not testcase:
+        return "Test case not found", 404
+
+    filename = secure_filename(file)
+    folder_path = os.path.join('files', str(testcase.assessmentid), str(testcase.id))
+    file_path = os.path.join(folder_path, filename)
+
+    if not os.path.isfile(file_path):
+        return "File not found", 404
+
+    _, ext = os.path.splitext(filename)
+    ext = ext.lower()
+    as_attachment = not (ext in ALLOWED_INLINE_EXTENSIONS and "download" not in request.args)
+
+    response = make_response(send_from_directory(folder_path, filename, as_attachment=as_attachment))
+    response.headers["X-Content-Type-Options"] = "nosniff"
+    return response
diff --git a/flask.cfg b/flask.cfg
@@ -25,6 +25,8 @@ SECURITY_TWO_FACTOR_SETUP_TEMPLATE = "mfa_register.html"
 SECURITY_TWO_FACTOR_VERIFY_CODE_TEMPLATE = "mfa_verify.html"
 SECURITY_TWO_FACTOR_ALWAYS_VALIDATE = False
 SECURITY_TWO_FACTOR_LOGIN_VALIDITY = "1 weeks"
+SECURITY_TWO_FACTOR_RESCUE_EMAIL = False
+
 SECURITY_TOTP_ISSUER = f"PurpleOps - {getenv('NAME')}"
 SECURITY_TOTP_SECRETS = {"1": getenv("FLASK_SECURITY_TOTP_SECRETS")}
 SECURITY_CHANGEABLE = True
@@ -36,7 +38,6 @@ SECURITY_SEND_PASSWORD_CHANGE_EMAIL = False
 SECURITY_SEND_PASSWORD_RESET_EMAIL = False
 SECURITY_SEND_PASSWORD_RESET_NOTICE_EMAIL = False
 SECURITY_PASSWORD_LENGTH_MIN = 12
-SECURITY_TWO_FACTOR_RESCUE_EMAIL = False
 SECURITY_EMAIL_VALIDATOR_ARGS = {"check_deliverability": False}
 
 SECURITY_MSG_INVALID_PASSWORD = ('Invalid username or password.', 'error')
@@ -49,4 +50,7 @@ REMEMBER_COOKIE_SECURE = True
 REMEMBER_COOKIE_SAMESITE = "Strict"
 
 WTF_CSRF_TIME_LIMIT = None
-WTF_CSRF_SSL_STRICT = False
+WTF_CSRF_SSL_STRICT = False
+
+SESSION_TYPE = 'Mongodb'
+SESSION_PERMANENT = False
diff --git a/purpleops.py b/purpleops.py
@@ -1,10 +1,11 @@
 import os
 from model import *
 from dotenv import load_dotenv
-from flask import Flask, render_template, redirect, request
+from flask import Flask, render_template, redirect, request, session
 from flask_security import Security, auth_required, current_user
-
+from flask_session import Session
 from flask_wtf.csrf import CSRFProtect
+from flask_login import user_logged_in
 
 from blueprints import access, assessment, assessment_utils, assessment_import, assessment_export, testcase, testcase_utils
 
@@ -27,8 +28,13 @@
 
 me.connect(**app.config["MONGODB_SETTINGS"])
 
+# Get the MongoClient instance and assign it to SESSION_MONGODB which is used by Security
+mongo_client = me.get_connection()
+app.config['SESSION_MONGODB'] = mongo_client
+
 security = Security(app, user_datastore)
 csrf = CSRFProtect(app)
+session_interface = Session(app)
 
 @app.route('/')
 @app.route('/index')
@@ -48,5 +54,10 @@ def inject_theme():
         theme = 'light'
     return dict(theme=theme)
 
+# Session Fixation Prevention Logic
+@user_logged_in.connect_via(app)
+def on_user_logged_in(sender, user, **extra):
+    app.session_interface.regenerate(session)
+
 if __name__ == "__main__":
     app.run(host=os.getenv('HOST'), port=int(os.getenv('PORT')))
diff --git a/requirements.txt b/requirements.txt
@@ -3,6 +3,7 @@ argon2-cffi-bindings==21.2.0
 babel==2.17.0
 bleach==6.2.0
 blinker==1.9.0
+cachelib==0.13.0
 certifi==2025.7.14
 cffi==1.17.1
 charset-normalizer==3.4.2
@@ -17,6 +18,7 @@ Flask==3.1.1
 Flask-Login==0.6.3
 Flask-Principal==0.4.0
 Flask-Security-Too==5.6.2
+Flask-Session==0.8.0
 Flask-WTF==1.2.2
 gitdb==4.0.12
 GitPython==3.1.44
@@ -30,6 +32,7 @@ lxml==6.0.0
 Markdown==3.8.2
 MarkupSafe==3.0.2
 mongoengine==0.29.1
+msgspec==0.19.0
 openpyxl==3.1.5
 packaging==25.0
 passlib==1.7.4
diff --git a/static/scripts/access.js b/static/scripts/access.js
@@ -76,13 +76,14 @@ $("#userDetailForm").submit(function(e) {
 				body.assessments = "-";
 			}
 
+			const safeAssessmentNames = $("<span>").text(body.assessments).html();
 			newRow = {
 				id: body.id,
 				username: body.username,
 				email: body.email,
 				roles: body.roles.length ? body.roles.join(", ") : "-",
 				"last-login": body["last-login"] || "-", // Support dash notation
-				assessments: body.assessments,
+				assessments: safeAssessmentNames,
 				actions: body.username
 			};
 
diff --git a/static/scripts/testcase.js b/static/scripts/testcase.js
@@ -229,7 +229,6 @@ $("#ttpform").submit(function(e) {
             showToast(`Conflict (409): ${error.responseText}`, "error");
         } else {
             showToast(`Testcase save error - ${error.message}`, "error");
-            console.error(error);
         }
     });
 });
diff --git a/utils.py b/utils.py
@@ -2,6 +2,7 @@
 from model import TestCase
 from flask_security import current_user
 from functools import wraps
+from mongoengine.errors import ValidationError
 
 def applyFormData (obj, form, fields):
     for field in fields:
@@ -32,18 +33,68 @@ def applyFormTimeData (obj, form, fields):
                 obj[field] = None
     return obj
 
+def get_testcase_by_id(id):
+    try:
+        return TestCase.objects(id=id).first()
+    except ValidationError:
+        return None
+
+def format_time_difference(d1, d2):
+
+    if not d1 or not d2:
+        return None
+
+    if d2 > d1:
+        return None
+
+    delta = abs(d1-d2)
+
+    days = delta.days
+    hours, remainder = divmod(delta.seconds, 3600)
+    minutes, _ = divmod(remainder, 60)
+
+    parts = []
+    if days > 0:
+        parts.append(f"{days}d")
+    if hours > 0 or days > 0:
+        parts.append(f"{hours}h")
+    parts.append(f"{minutes}m")
+
+    return  " ".join(parts)
+
+def calculate_severity_score(severity, expected_severity):
+    severity_levels = {
+        "Critical": ["Critical"],
+        "High": ["Critical", "High"],
+        "Medium": ["Critical", "High", "Medium"],
+        "Low": ["Critical", "High", "Medium", "Low"],
+        "Informational": ["Critical", "High", "Medium", "Low", "Informational"]
+    }
+    if severity and expected_severity:
+        accepted_severity_list = severity_levels.get(expected_severity, [])
+        return 100 if severity in accepted_severity_list else 0
+    return None
+
 def user_assigned_assessment(f):
     @wraps(f)
     def inner(*args, **kwargs):
         if current_user.has_role("Admin"):
             return f(*args, **kwargs)
-        id = kwargs.get("id")
+
+        id = kwargs.get("id") or (args[0] if args else None)
         if not id:
-            id = args[0]
-        if TestCase.objects(id=id).count():
-            id = TestCase.objects(id=id).first().assessmentid
-        if (id in [str(a.id) for a in current_user.assessments]):
+            return ("Missing ID", 400)
+
+        testcase = get_testcase_by_id(id)
+        if testcase:
+            assessment_id = str(testcase.assessmentid)
+        else:
+            assessment_id = id  # fallback to assuming it's already an assessment ID
+
+        if assessment_id in [str(a.id) for a in current_user.assessments]:
             return f(*args, **kwargs)
         else:
+            current_app.logger.warning(f"Access denied for user {current_user.id} on assessment {assessment_id}")
             return ("", 403)
+
     return inner

Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,6 @@ $("#ttpform").submit(function(e) {`
`229`	`229`	showToast(`Conflict (409): ${error.responseText}`, "error");
`230`	`230`	`} else {`
`231`	`231`	showToast(`Testcase save error - ${error.message}`, "error");
`232`		`- console.error(error);`
`233`	`232`	`}`
`234`	`233`	`});`
`235`	`234`	`});`