diff --git a/Dockerfile b/Dockerfile index fc16a1b..555b36d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,2 +1,3 @@ FROM tiangolo/uwsgi-nginx-flask:python3.6 -COPY ./app /app \ No newline at end of file +COPY ./app /app + diff --git a/app/UseSqlite.py b/app/UseSqlite.py index d9b3f22..67133ce 100644 --- a/app/UseSqlite.py +++ b/app/UseSqlite.py @@ -31,6 +31,20 @@ class Sqlite3Template: self.connect(self.db_fname) self.instructions(self.query) self.operate() + + def instructions_with_parameters(self, query_statement, parameters): + self.query = query_statement + self.parameters = parameters + + def do_with_parameters(self): + self.connect(self.db_fname) + self.instructions_with_parameters(self.query, self.parameters) + self.operate_with_parameters() + + def operate_with_parameters(self): + self.conn.row_factory = sqlite3.Row + self.results = self.conn.execute(self.query, self.parameters) # self.query is to be given in the child classes + self.conn.commit() class InsertQuery(Sqlite3Template): diff --git a/app/main.py b/app/main.py index 6d743bb..11edeb3 100644 --- a/app/main.py +++ b/app/main.py @@ -38,8 +38,8 @@ def load_freq_history(path): def verify_user(username, password): rq = RecordQuery(path_prefix + 'static/wordfreqapp.db') - rq.instructions("SELECT * FROM user WHERE name='%s' AND password='%s'" % (username, password)) - rq.do() + rq.instructions_with_parameters("SELECT * FROM user WHERE name=? AND password=?", (username, password)) + rq.do_with_parameters() result = rq.get_results() return result != [] @@ -228,7 +228,7 @@ def mainpage(): ''' - page += '

English Pal - Learn English in a smart way!

' + page += '

English Pal -(SPM-Spring2021-2599-张小飞201831990641) Learn English in a smart way!

' if session.get('logged_in'): page += ' %s

\n' % (session['username'], session['username']) else: diff --git a/app/test/test_add_word.py b/app/test/test_add_word.py index 9a46fe3..0cf1865 100644 --- a/app/test/test_add_word.py +++ b/app/test/test_add_word.py @@ -10,7 +10,7 @@ import string driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) driver.implicitly_wait(10) -HOME_PAGE = 'http://121.4.94.30:91/' +HOME_PAGE = 'http://121.4.94.30:5000/' def has_punctuation(s): @@ -19,6 +19,7 @@ def has_punctuation(s): def test_add_word(): try: driver.get(HOME_PAGE) + print(driver.page_source) assert 'English Pal -' in driver.page_source # login diff --git a/app/test/test_add_word_and_essay_does_not_change.py b/app/test/test_add_word_and_essay_does_not_change.py index 61af4b8..348521e 100644 --- a/app/test/test_add_word_and_essay_does_not_change.py +++ b/app/test/test_add_word_and_essay_does_not_change.py @@ -10,7 +10,7 @@ import string driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) driver.implicitly_wait(10) -HOME_PAGE = 'http://121.4.94.30:91/' +HOME_PAGE = 'http://121.4.94.30:5000/' def has_punctuation(s): diff --git a/app/test/test_login.py b/app/test/test_login.py index b8bb669..11b9abf 100644 --- a/app/test/test_login.py +++ b/app/test/test_login.py @@ -9,7 +9,7 @@ import random, string driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) driver.implicitly_wait(10) -HOME_PAGE = 'http://121.4.94.30:91/' +HOME_PAGE = 'http://121.4.94.30:5000/' @@ -59,5 +59,6 @@ def test_login(): driver.save_screenshot('./app/test/test_login_pic4.png') assert 'EnglishPal Study Room for ' + uname in driver.title + finally: driver.quit() diff --git a/app/test/test_login_security_fix.py b/app/test/test_login_security_fix.py new file mode 100644 index 0000000..3baf18a --- /dev/null +++ b/app/test/test_login_security_fix.py @@ -0,0 +1,35 @@ +# -*- coding: utf-8 -*- +# Run the docker image using the following command: +# docker run -d -p 4444:4444 selenium/standalone-chrome +from selenium import webdriver +from selenium.webdriver.common.desired_capabilities import DesiredCapabilities + +import random, string + +driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) +driver.implicitly_wait(10) + +HOME_PAGE = 'http://121.4.94.30:5000/' + +def test_login_security_fix(): + try: + driver.get(HOME_PAGE) + + elem = driver.find_element_by_link_text('登录') + elem.click() + + uname = 'lanhui' + elem = driver.find_element_by_name('username') + elem.send_keys(uname) + + elem = driver.find_element_by_name('password') + # 使用原有漏洞密码登录 + elem.send_keys("' or 'a'='a'or'a'='a") + + elem = driver.find_element_by_xpath('//form[1]/p[3]/input[1]') # 找到登录按钮 + elem.click() + + driver.save_screenshot('./app/test/test_login_security_fix0.png') + assert '无法通过验证。' in driver.page_source + finally: + driver.quit() diff --git a/app/test/test_next_essay.py b/app/test/test_next_essay.py index 98d748c..6cf8c80 100644 --- a/app/test/test_next_essay.py +++ b/app/test/test_next_essay.py @@ -9,7 +9,7 @@ import random, string, time driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) driver.implicitly_wait(10) -HOME_PAGE = 'http://121.4.94.30:91/' +HOME_PAGE = 'http://121.4.94.30:5000/' @@ -42,7 +42,7 @@ def test_next(): # click Next diff = 0 - for i in range(5): + for i in range(10): elem = driver.find_element_by_link_text('下一篇') elem.click() driver.save_screenshot('./app/test/test_next_essay_pic1.png') diff --git a/app/test/test_signup.py b/app/test/test_signup.py index 596e53d..f46c5cd 100644 --- a/app/test/test_signup.py +++ b/app/test/test_signup.py @@ -9,7 +9,7 @@ import random, string driver = webdriver.Remote('http://localhost:4444/wd/hub', DesiredCapabilities.CHROME) driver.implicitly_wait(10) -HOME_PAGE = 'http://121.4.94.30:91/' +HOME_PAGE = 'http://121.4.94.30:5000/' diff --git a/效果演示.mp4 b/效果演示.mp4 deleted file mode 100644 index 6c1c6d0..0000000 Binary files a/效果演示.mp4 and /dev/null differ