Merge branch 'develop' into 'master'

Update to 3.5.1 from upstream See merge request hackademint/ctfd!10
HackademINT · Apr 21, 2023 · d392a27 · d392a27
2 parents a42a663 + 5b7a3b0
commit d392a27
Show file tree

Hide file tree

Showing 69 changed files with 1,283 additions and 451 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
+# Reports
+reports/*
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -1,6 +1,8 @@
 stages:
-  - linting
+  - dependencies
+  - lint
   - test
+  - sast
   - containerize
 
 variables:
@@ -10,94 +12,217 @@ variables:
   AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
   AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
   MYSQL_ROOT_PASSWORD: password
+  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+  YARN_CACHE_FOLDER: "$CI_PROJECT_DIR/.cache/yarn"
+  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp, populate.py"
 
-dockerfile:
-  stage: linting
+include:
+- template: Security/SAST.gitlab-ci.yml
+
+python dependencies:
+  stage: dependencies
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  script:
+    - pip install virtualenv
+    - virtualenv venv
+    - source venv/bin/activate
+    - python -m pip install --upgrade pip
+    - python -m pip install -r development.txt
+  artifacts:
+    name: Python virtual environment
+    paths:
+      - venv
+    expire_in: 24 hours
+  cache:
+    - key: pip-cache
+      paths:
+        - "$PIP_CACHE_DIR"
+    - key: yarn-cache
+      paths:
+        - "$YARN_CACHE_FOLDER"
+
+node dependencies:
+  stage: dependencies
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  script:
+    - yarn install --non-interactive
+  artifacts:
+    name: Node modules
+    paths:
+      - node_modules
+    expire_in: 24 hours
+
+lint dockerfile:
+  stage: lint
   image: hadolint/hadolint:latest-debian
+  needs: []
   script:
     - mkdir -p reports
     - hadolint -f gitlab_codeclimate Dockerfile > reports/hadolint-$(md5sum Dockerfile | cut -d" " -f1).json
-  artifacts:
-    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
-    reports:
-      codequality:
-        - "reports/*"
-    paths:
-      - "reports/*"
 
-docker-compose:
-  stage: linting
+lint docker-compose:
+  stage: lint
   image: python:3.9.13-bullseye
+  needs: []
   script:
     - python -m pip install docker-compose==1.26.0
     - docker-compose -f docker-compose.yml config
 
-postgres:
+flake8:
+  stage: lint
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - python dependencies
+  needs:
+    - python dependencies
+  script:
+    - source venv/bin/activate
+    - flake8 --ignore=E402,E501,E712,W503,E203 --exclude=CTFd/uploads CTFd/ migrations/ tests/
+
+black:
+  stage: lint
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - python dependencies
+  needs:
+    - python dependencies
+  script:
+    - source venv/bin/activate
+    - black --check --diff --exclude=CTFd/uploads --exclude=node_modules .
+
+yarn lint:
+  stage: lint
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - node dependencies
+  needs:
+    - node dependencies
+  script:
+    - yarn lint
+
+prettier:
+  stage: lint
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - node dependencies
+  needs:
+    - node dependencies
+  script:
+    - yarn global add [email protected]
+    - prettier --check 'CTFd/themes/**/assets/**/*'
+    - prettier --check '**/*.md'
+
+.pytest:
   stage: test
   image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - python dependencies
+  needs:
+    - python dependencies
+    - node dependencies
+    - flake8
+    - black
+  script:
+    - source venv/bin/activate
+    - rm -f /etc/boto.cfg
+    - |
+      pytest -rf --cov=CTFd --cov-context=test --cov-report=xml:reports/coverage/${DB_DRIVER}pytest.xml \
+        --junitxml=reports/tests/pytest.xml \
+        --ignore-glob="**/node_modules/" \
+        --ignore=node_modules/ \
+        -W ignore::sqlalchemy.exc.SADeprecationWarning \
+        -W ignore::sqlalchemy.exc.SAWarning \
+        -n auto
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: "reports/coverage/*.xml"
+      junit: "reports/tests/*.xml"
+
+postgres:
+  extends: .pytest
   timeout: 24 hours
   services:
-    - postgres:latest
     - redis:latest
+    - postgres:latest
   variables:
     TESTING_DATABASE_URL: postgres://postgres:password@postgres:5432/ctfd
-  script:
-    - python -m pip install --upgrade pip
-    - python -m pip install -r development.txt
-    - yarn install --non-interactive
-    - rm -f /etc/boto.cfg
-    - make test
-  artifacts:
-    paths:
-      - coverage.xml
+    DB_DRIVER: "postgres"
   when: manual
 
 mysql:
-  stage: test
-  image: nikolaik/python-nodejs:python3.9-nodejs18
+  extends: .pytest
   timeout: 24 hours
   services:
     - mysql:5.7
     - redis:latest
   variables:
     TESTING_DATABASE_URL: mysql+pymysql://root:password@mysql:3306/ctfd
-  script:
-    - python -m pip install --upgrade pip
-    - python -m pip install -r development.txt
-    - yarn install --non-interactive
-    - rm -f /etc/boto.cfg
-    - make test
-  artifacts:
-    paths:
-      - coverage.xml
+    DB_DRIVER: "mysql"
   when: manual
 
 sqlite:
-  stage: test
-  image: nikolaik/python-nodejs:python3.9-nodejs18
+  extends: .pytest
+  timeout: 15 minutes
+  services:
+    - mysql:5.7
+    - redis:latest
   variables:
     TESTING_DATABASE_URL: 'sqlite://'
+    DB_DRIVER: "sqlite"
+
+bandit:
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - python dependencies
+  needs:
+    - python dependencies
+    - flake8
+    - black
   script:
-    - python -m pip install --upgrade pip
-    - python -m pip install -r development.txt
-    - yarn install --non-interactive
-    - yarn global add [email protected]
-    - rm -f /etc/boto.cfg
-    - make test
-  artifacts:
-    paths:
-      - coverage.xml
+    - source venv/bin/activate
+    - bandit -r CTFd -x CTFd/uploads --skip B105,B322
+
+yarn verify:
+  image: nikolaik/python-nodejs:python3.9-nodejs18
+  dependencies:
+    - node dependencies
+  needs:
+    - node dependencies
+    - yarn lint
+    - prettier
+  script:
+    - yarn verify
+
+sast:
+  dependencies:
+    - python dependencies
+    - node dependencies
+  needs:
+    - python dependencies
+    - node dependencies
 
 containerize:
   stage: containerize
   image:
     name: gcr.io/kaniko-project/executor:debug
     entrypoint: [""]
+  needs:
+    - sqlite
+    - lint dockerfile
+    - bandit
+    - yarn verify
   script:
+    - |
+      if [[ "${CI_COMMIT_BRANCH}" != "${CI_DEFAULT_BRANCH}" ]];
+      then
+        SUFFIX="/${CI_COMMIT_REF_SLUG}"
+      fi
     - mkdir -p /kaniko/.docker
     - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"auth\":\"$(printf "%s:%s" "${CI_REGISTRY_USER}" "${CI_REGISTRY_PASSWORD}" | base64 | tr -d '\n')\"}}}" > /kaniko/.docker/config.json
     - >-
       /kaniko/executor
       --context "${CI_PROJECT_DIR}"
       --dockerfile "${CI_PROJECT_DIR}/Dockerfile"
-      --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"
+      --destination "${CI_REGISTRY_IMAGE}${SUFFIX}:${CI_COMMIT_TAG}"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,79 @@
+# 3.5.1 / 2023-01-23
+
+**General**
+
+- The public scoreboard page is no longer shown to users if account visibility is disabled
+- Teams created by admins using the normal team creation flow are now hidden by default
+- Redirect users to the team creation page if they access a certain pages before the CTF starts
+- Added a notice on the Challenges page to remind Admins if they are in Admins Only mode
+- Fixed an issue where users couldn't login to their team even though they were already on the team
+- Fixed an issue with scoreboard tie breaking when an award results in a tie
+- Fixed the order of solves, fails, and awards to always be in chronological ordering (latest first).
+- Fixed an issue where certain custom fields could not be submitted
+
+**Admin Panel**
+
+- Improved the rendering of Admin Panel tables on mobile devices
+- Clarified the behavior of Score Visibility with respect to Account Visibility in the Admin Panel help text
+- Added user id and user email fields to the user mode scoreboard CSV export
+- Add CSV export for `teams+members+fields` which is teams with Custom Field entries and their team members with Custom Field entries
+- The import process will now catch all exceptions in the import process to report them in the Admin Panel
+- Fixed issue where `field_entries` could not be imported under MariaDB
+- Fixed issue where `config` entries sometimes would be recreated for some reason causing an import to fail
+- Fixed issue with Firefox caching checkboxes by adding `autocomplete='off'` to Admin Panel pages
+- Fixed issue where Next selection for a challenge wouldn't always load in Admin Panel
+
+**API**
+
+- Improve response time of `/api/v1/challenges` and `/api/v1/challenges/[challenge_id]/solves` by caching the solve count data for users and challenges
+- Add `HEAD /api/v1/notifications` to get a count of notifications that have happened.
+  - This also includes a `since_id` parameter to allow for a notification cursor.
+  - Unread notification count can now be tracked by themes that track which notifications a user has read
+- Add `since_id` to `GET /api/v1/notifications` to get Notifications that have happened since a specific ID
+
+**Deployment**
+
+- Imports have been disabled when running with a SQLite database backend
+  - See https://github.com/CTFd/CTFd/issues/2131
+- Added `/healthcheck` endpoint to check if CTFd is ready
+- There are now ARM Docker images for OSS CTFd
+- Bump dependencies for passlib, bcrypt, requests, gunicorn, gevent, python-geoacumen-city, cmarkgfm
+- Properly load `SAFE_MODE` config from environment variable
+- The `AWS_S3_REGION` config has been added to allow specifying an S3 region. The default is `us-east-1`
+- Add individual DATABASE config keys as an alternative to `DATABASE_URL`
+  - `DATABASE_PROTOCOL`: SQLAlchemy DB protocol (+ driver, optionally)
+  - `DATABASE_USER`: Username to access DB server with
+  - `DATABASE_PASSWORD`: Password to access DB server with
+  - `DATABASE_HOST`: Hostname of the DB server to access
+  - `DATABASE_PORT`: Port of the DB server to access
+  - `DATABASE_NAME`: Name of the database to use
+- Add individual REDIS config keys as an alternative to `REDIS_URL`
+  - `REDIS_PROTOCOL`: Protocol to access Redis server with (either redis or rediss)
+  - `REDIS_USER`: Username to access Redis server with
+  - `REDIS_PASSWORD`: Password to access Redis server with
+  - `REDIS_HOST`: Hostname of the Redis server to access
+  - `REDIS_PORT`: Port of the Redis server to access
+  - `REDIS_DB`: Numeric ID of the database to access
+
+**Plugins**
+
+- Adds support for `config.json` to have multiple paths to add to the Plugins dropdown in the Admin Panel
+- Plugins and their migrations now have access to the `get_all_tables` and `get_columns_for_table` functions
+- Email sending functions have now been seperated into classes that can be customized via plugins.
+  - Add `CTFd.utils.email.providers.EmailProvider`
+  - Add `CTFd.utils.email.providers.mailgun.MailgunEmailProvider`
+  - Add `CTFd.utils.email.providers.smtp.SMTPEmailProvider`
+  - Deprecate `CTFd.utils.email.mailgun.sendmail`
+  - Deprecate `CTFd.utils.email.smtp.sendmail`
+
+**Themes**
+
+- The beta interface `Assets.manifest_css` has been removed
+- `event-source-polyfill` is now pinned to 1.0.19.
+  - See https://github.com/CTFd/CTFd/issues/2159
+  - Note that we will not be using this polyfill starting with the `core-beta` theme.
+- Add autofocus to text fields on authentication pages
+
 # 3.5.0 / 2022-05-09
 
 **General**

diff --git a/CTFd/__init__.py b/CTFd/__init__.py
@@ -29,7 +29,7 @@
 from CTFd.utils.sessions import CachingSessionInterface
 from CTFd.utils.updates import update_check
 
-__version__ = "3.5.0"
+__version__ = "3.5.1"
 __channel__ = "oss"
 
 

diff --git a/CTFd/admin/__init__.py b/CTFd/admin/__init__.py
@@ -26,7 +26,13 @@
 from CTFd.admin import submissions  # noqa: F401
 from CTFd.admin import teams  # noqa: F401
 from CTFd.admin import users  # noqa: F401
-from CTFd.cache import cache, clear_config, clear_pages, clear_standings
+from CTFd.cache import (
+    cache,
+    clear_challenges,
+    clear_config,
+    clear_pages,
+    clear_standings,
+)
 from CTFd.models import (
     Awards,
     Challenges,
@@ -238,6 +244,7 @@ def reset():
 
         clear_pages()
         clear_standings()
+        clear_challenges()
         clear_config()
 
         if logout is True: