Merge pull request #14 from DataDog/aless-fix-images

Updated python build to bullseye & disabled authentication on submission endpoint.

Author: kepicorp

CTFd/auth.py

@@ -203,6 +203,14 @@ def register():
         email_address = request.form.get("email", "").strip().lower()
         password = request.form.get("password", "").strip()
         auto_register_team = request.form.get("auto_register_team", default=False)
+        # Coerce potential string form values to a real boolean
+        if isinstance(auto_register_team, str):
+            auto_register_team = auto_register_team.strip().lower() in (
+                "1",
+                "true",
+                "on",
+                "yes",
+            )
 
         website = request.form.get("website")
         affiliation = request.form.get("affiliation")

CTFd/plugins/datadog_logs/__init__.py

@@ -41,7 +41,7 @@ def wrapper(*args, **kwargs):
 
             message = (
                 f"source=ctfd, event={ctfd_config.ctf_name()},type=hint,success={result.json['success']},"
-                f"challenge={challenge.name},category='{challenge.category}',team={team.name},"
+                f"challenge={challenge.name},category='{challenge.category}',team={(team.name if team else 'N/A')},"
                 f"user={user.name},points={hint.cost * -1},"
                 f"msg=Player {user.name} just traded {hint.cost} points for a hint on challenge {challenge.name}"
             )
@@ -72,8 +72,8 @@ def wrapper(*args, **kwargs):
             if result.json["data"]["status"] == "incorrect":
                 message = (
                     f"source=ctfd, event={ctfd_config.ctf_name()},type=challenge,status=incorrect,"
-                    f"challenge='{challenge.name}',category={challenge.category},team={team.name},"
-                    f"user={user.name},points=0,msg='Team {team.name} provided an incorrect answer "
+                    f"challenge='{challenge.name}',category={challenge.category},team={(team.name if team else 'N/A')},"
+                    f"user={user.name},points=0,msg='Team {(team.name if team else 'N/A')} provided an incorrect answer "
                     f"for challenge {challenge.name}'"
                 )
                 log("submissions", message)
@@ -85,9 +85,9 @@ def wrapper(*args, **kwargs):
 
                 message = (
                     f"source=ctfd, event={ctfd_config.ctf_name()},type=challenge,status=correct,"
-                    f"challenge='{challenge.name}',category={challenge.category},team={team.name},"
+                    f"challenge='{challenge.name}',category={challenge.category},team={(team.name if team else 'N/A')},"
                     f"user={user.name},points={challenge.value},"
-                    f"msg='Team {team.name} is the {num_solves} to solve challenge {challenge.name}'"
+                    f"msg='Team {(team.name if team else 'N/A')} is the {num_solves} to solve challenge {challenge.name}'"
                 )
                 log("submissions", message)
 

CTFd/teams.py

@@ -158,6 +158,8 @@ def join():
 
         if team and verify_password(passphrase, team.password):
             team_size_limit = get_config("team_size", default=0)
+            # Refresh team object to ensure members are up-to-date
+            db.session.refresh(team)
             if team_size_limit and len(team.members) >= team_size_limit:
                 errors.append(
                     "{name} has already reached the team size limit of {limit}".format(

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-slim-buster as build
+FROM python:3.9-slim-bullseye as build
 
 WORKDIR /opt/CTFd
 
@@ -9,6 +9,9 @@ RUN apt-get update \
         libffi-dev \
         libssl-dev \
         git \
+        pkg-config \
+        libev-dev \
+        python3-dev \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
     && python -m venv /opt/venv
@@ -25,14 +28,15 @@ RUN pip install --no-cache-dir -r requirements.txt \
     done;
 
 
-FROM python:3.9-slim-buster as release
+FROM python:3.9-slim-bullseye as release
 WORKDIR /opt/CTFd
 
 # hadolint ignore=DL3008
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        libffi6 \
+        libffi7 \
         libssl1.1 \
+        libev4 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 

development.txt

@@ -6,6 +6,7 @@ coverage==7.2.3
 psycopg2-binary==2.9.6
 moto==4.1.11
 bandit==1.6.2
+pbr==5.11.1
 flask_profiler==1.8.1
 pytest-xdist==3.2.1
 pytest-cov==4.0.0

requirements.txt

@@ -75,9 +75,9 @@ flask-sqlalchemy==2.5.1
     #   flask-migrate
 freezegun==1.2.2
     # via -r requirements.in
-gevent==23.9.1
+gevent==24.11.1
     # via -r requirements.in
-greenlet==2.0.1
+greenlet==3.1.1
     # via
     #   gevent
     #   sqlalchemy

tests/teams/test_teams.py

@@ -44,11 +44,11 @@ def test_accessing_hidden_teams():
             user.team_id = team.id
             app.db.session.commit()
 
-            assert client.get("/teams/1").status_code == 404
-            assert client.get("/api/v1/teams/1").status_code == 404
-            assert client.get("/api/v1/teams/1/solves").status_code == 404
-            assert client.get("/api/v1/teams/1/fails").status_code == 404
-            assert client.get("/api/v1/teams/1/awards").status_code == 404
+            assert client.get(f"/teams/{team.id}").status_code == 404
+            assert client.get(f"/api/v1/teams/{team.id}").status_code == 404
+            assert client.get(f"/api/v1/teams/{team.id}/solves").status_code == 404
+            assert client.get(f"/api/v1/teams/{team.id}/fails").status_code == 404
+            assert client.get(f"/api/v1/teams/{team.id}/awards").status_code == 404
     destroy_ctfd(app)
 
 
@@ -96,9 +96,13 @@ def test_hidden_teams_visibility():
             # Team should re-appear after disabling hiding
             # Use an API call to cause a cache clear
             with login_as_user(app, name="admin") as admin:
-                r = admin.patch("/api/v1/teams/1", json={"hidden": False})
+                r = admin.patch(f"/api/v1/teams/{team_id}", json={"hidden": False})
                 assert r.status_code == 200
 
+            # Re-fetch team from the database to avoid detached instance issues
+            team = Teams.query.filter_by(id=team_id).first()
+            assert team.hidden is False  # Verify the team is actually unhidden
+
             r = client.get("/teams")
             response = r.get_data(as_text=True)
             assert team_name in response
@@ -148,8 +152,10 @@ def test_teams_id_get():
         team.members.append(user)
         user.team_id = team.id
         app.db.session.commit()
+        # Capture the team id now and avoid accessing ORM instances later
+        team_id = team.id
         with login_as_user(app, name="user_name", password="password") as client:
-            r = client.get("/teams/1")
+            r = client.get(f"/teams/{team_id}")
             assert r.status_code == 200
     destroy_ctfd(app)
 

tests/utils/test_updates.py

@@ -60,14 +60,14 @@ def test_update_check_notifies_user():
     destroy_ctfd(app)
 
 
-@patch.object(requests, "post")
-def test_update_check_ignores_downgrades(fake_post_request):
+@patch.object(requests, "get")
+def test_update_check_ignores_downgrades(fake_get_request):
     """Update checks do nothing on old or same versions"""
     app = create_ctfd()
     with app.app_context():
         app.config["UPDATE_CHECK"] = True
         fake_response = Mock()
-        fake_post_request.return_value = fake_response
+        fake_get_request.return_value = fake_response
         fake_response.json = lambda: {
             "resource": {
                 "html_url": "https://github.com/CTFd/CTFd/releases/tag/0.0.1",
@@ -83,7 +83,7 @@ def test_update_check_ignores_downgrades(fake_post_request):
         assert get_config("version_latest") is None
 
         fake_response = Mock()
-        fake_post_request.return_value = fake_response
+        fake_get_request.return_value = fake_response
         fake_response.json = lambda: {
             "resource": {
                 "html_url": "https://github.com/CTFd/CTFd/releases/tag/{}".format(