API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 10th, 2017
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.55 KB | None | 0 0
raw download clone embed print report
  1. require "sqlite3"
  2. require "digest"
  3. require "securerandom"
  4.  
  5. # Anmol Srivastava | asrivas2 | 114101433 | TA: JT, 12 PM
  6.  
  7. # Things to fix - PART 1: (REMEMBER TO UPDATE DATA.DB IF YOU MAKE REAL CHANGES ON WEBSITE)
  8. # - Validate all command fields per BASH
  9. # - Validate all HTML
  10. # - If user not allowed to use method, no action and FALSE
  11. # - @shell_pwd, @controller_pwd, latter is project directory path
  12. # - all session tokens revoked when an account is deleted.
  13. # - shell use restricted to project directory and its contents
  14. # - cannot delete data.db, controller.rb, or main.rb - SEE DIR AND FILE CLASSES IN RUBY
  15. # - database only allows access to menu and user profiles, not session data, etc.
  16.  
  17. # Things to do - Part 2:
  18. # - salt hash thingy - expand
  19.  
  20. def non_injecting(str)
  21. if str =~ %r{[;,--]} or str =~ %r{[<,>,",&]} # Comment out the "
  22. return false
  23. end
  24. return true
  25. end
  26.  
  27. module Menu
  28. def create_menu(name)
  29. if non_injecting name and (authorize @session_id) != -1 then
  30. @db.execute_batch "INSERT INTO Menus (Name) VALUES(\"#{name}\")"
  31. else
  32. return false
  33. end
  34. end
  35.  
  36. def read_menu()
  37. if (authorize @session_id) != -1 then
  38. menus = []
  39. @db.execute "SELECT RowID, Name FROM Menus" do |menu|
  40. id, name = menu[0], menu[1]
  41. menus << { :id => id, :name => name }
  42. end
  43. return menus
  44. else
  45. return false
  46. end
  47. end
  48.  
  49. def update_menu(id, name)
  50. if non_injecting id and non_injecting name and (authorize @session_id) != -1 then
  51. @db.execute_batch "UPDATE Menus SET Name = \"#{name}\" WHERE RowID = #{id}"
  52. else
  53. return false
  54. end
  55. end
  56.  
  57. def delete_menu(id)
  58. if non_injecting id and (authorize @session_id) != -1 then
  59. @db.execute_batch "DELETE FROM Menus WHERE RowID = #{id}"
  60. else
  61. return false
  62. end
  63. end
  64. end
  65.  
  66. module Item
  67. def create_item(menu, name, price, description)
  68. if non_injecting menu and non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  69. @db.execute_batch "INSERT INTO Items (Menu, Name, Price, Description) VALUES(#{menu}, \"#{name}\", #{price}, \"#{description}\")"
  70. else
  71. return false
  72. end
  73. end
  74.  
  75. def read_item()
  76. if (authorize @session_id) != -1
  77. items = []
  78. @db.execute "SELECT RowID, Menu, Name, Price, Description FROM Items" do |item|
  79. id, menu, name, price, description = item[0], item[1], item[2], item[3], item[4]
  80. items << { :id => id, :menu => menu, :name => name, :price => price, :description => description }
  81. end
  82. return items
  83. else
  84. return false
  85. end
  86. end
  87.  
  88. def update_item(id, menu, name, price, description)
  89. if non_injecting id and non_injecting menu and non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  90. @db.execute_batch "UPDATE Items SET Menu = #{menu}, Name = \"#{name}\", Price = #{price}, Description = \"#{description}\" WHERE RowID = #{id}"
  91. else
  92. return false
  93. end
  94. end
  95.  
  96. def delete_item(id)
  97. if non_injecting id and (authorize @session_id) != -1 then
  98. @db.execute_batch "DELETE FROM Items WHERE RowID = #{id}"
  99. else
  100. return false
  101. end
  102. end
  103. end
  104.  
  105.  
  106. module User
  107. def create_user(name, password, admin, salary)
  108. if non_injecting name and non_injecting password and non_injecting salary and admin? @session_id then
  109. @db.execute_batch "INSERT INTO Users (Name, Password, Admin, Salary) VALUES(\"#{name}\", \"#{password}\", #{admin}, #{salary})"
  110. else
  111. return false
  112. end
  113. end
  114.  
  115. def read_user()
  116. users = []
  117. @db.execute "SELECT RowID, Name, Password, Admin, Salary FROM Users" do |user|
  118. id, name, password, admin, salary = user[0], user[1], user[2], user[3], user[4]
  119. users << {:id => id, :name => name, :password => password, :admin => admin, :salary => salary}
  120. end
  121. if not admin?(@session_id) then
  122. user_id = authorize(@session_id)
  123. users.select! { |u| u[:id] == user_id }
  124. end
  125. return users
  126. end
  127.  
  128. def update_user(id, name, password, admin, salary)
  129. if non_injecting name and non_injecting password and non_injecting salary and (authorize @session_id) != -1 then
  130. if admin? @session_id then
  131. @db.execute_batch "UPDATE Users SET " +
  132. "Name = \"#{name}\", Password = \"#{password}\", " +
  133. "Admin = #{admin}, Salary = #{salary} WHERE RowID = #{id}"
  134. else
  135. if (authorize @session_id) == id then
  136. @db.execute_batch "UPDATE Users SET " +
  137. "Name = \"#{name}\", Password = \"#{password}\" WHERE RowID = #{id}"
  138. else
  139. return false
  140. end
  141. end
  142. else
  143. return false
  144. end
  145. end
  146.  
  147. def delete_user(id)
  148. if authorize(@session_id) != id and admin? (@session_id) then
  149. @db.execute_batch "DELETE FROM Users WHERE RowID = #{id}"
  150. else
  151. return false
  152. end
  153. end
  154. end
  155.  
  156. module Access
  157. def create_session()
  158. random = Random.new
  159. session_id = random.rand(1000000000)
  160. @db.execute_batch "INSERT INTO Sessions (SessionID, UserID) VALUES(#{session_id}, -1)"
  161. return session_id
  162. end
  163.  
  164. def authenticate(name, password)
  165. if non_injecting name and non_injecting password then
  166. session_id = create_session()
  167. user = nil
  168.  
  169. @db.execute "SELECT RowID FROM Users WHERE Name = \"#{name}\" AND Password = \"#{password}\"" do |u|
  170. user_id = u[0]
  171. escalate(user_id, session_id)
  172. return session_id
  173. end
  174.  
  175. return -1
  176. end
  177. return false
  178. end
  179.  
  180. def escalate(user_id, session_id)
  181. @db.execute_batch "UPDATE Sessions SET UserID = #{user_id} WHERE SessionID = #{session_id}"
  182. end
  183.  
  184. def admin?(session_id)
  185. user_id = authorize(session_id)
  186. @db.execute "SELECT Admin FROM Users WHERE RowID = #{user_id}" do |user|
  187. admin = user[0]
  188. return admin == 1
  189. end
  190. return false
  191. end
  192.  
  193. def authorize(session_id)
  194. @db.execute "SELECT UserID FROM Sessions WHERE SessionID = #{session_id}" do |session|
  195. user_id = session[0]
  196. return user_id
  197. end
  198. return -1
  199. end
  200.  
  201. def delete_session(session_id)
  202. @db.execute_batch "DELETE FROM Sessions WHERE SessionID = #{session_id}"
  203. end
  204.  
  205. def guard(page)
  206. if page == :dashboard and admin? @session_id then
  207. return true
  208. end
  209. if page == :menu and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  210. return true
  211. end
  212. if page == :users and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  213. return true
  214. end
  215. return false
  216. end
  217. end
  218.  
  219. module Terminal
  220. def shell(command)
  221. # Commands that = bad: deleting data.db, main.rb, controller.rb, or going out of p. dir./content
  222. if admin? @session_id then
  223. # navigate to the correct shell directory
  224. Dir.chdir @shell_pwd
  225.  
  226. # if command is `cd` then navigate to and save the shell's new pwd
  227. if command =~ /cd\W+((?:[^\/]*\/)*.*)/ then
  228. if not $1 == "" then
  229. Dir.chdir $1
  230. else
  231. Dir.chdir command[3..-1]
  232. end
  233.  
  234. @shell_pwd = Dir.pwd # update the shell directory
  235. Dir.chdir @controller_pwd # return to the controller's home directory
  236. return ""
  237. # otherwise execute the command
  238. else
  239. output = `#{command}`
  240. Dir.chdir @controller_pwd # return to the controller's home directory
  241. return output
  242. end
  243. end
  244. return false
  245. end
  246. end
  247.  
  248. #
  249. # NOTICE: You DO NOT need to modify anything below this point.
  250. # Modifications below this point may cause you to FAIL
  251. # our tests.
  252. #
  253.  
  254. module Util
  255. def collate_menus()
  256. menus = []
  257. result = { :menus => menus }
  258. id_to_name = {}
  259.  
  260. read_menu.each do |menu|
  261. id, name = menu[:id], menu[:name]
  262. id_to_name[id] = name
  263. menus << { :name => name, :items => [] }
  264. end
  265.  
  266. read_item.each do |item|
  267. menu, name, price, description = item[:menu], item[:name], item[:price], item[:description]
  268. (menus.find { |m| m[:name] == id_to_name[menu] })[:items] << { :name => name, :price => price, :description => description }
  269. end
  270.  
  271. return result
  272. end
  273. end
  274.  
  275. class Controller
  276. include Menu
  277. include Item
  278. include User
  279. include Access
  280. include Terminal
  281. include Util
  282.  
  283. attr_accessor :session_id, :shell_pwd
  284. attr_reader :db, :controller_pwd
  285.  
  286. def initialize()
  287. @db = SQLite3::Database.new "data.db"
  288. @shell_pwd = Dir.pwd
  289. @controller_pwd = Dir.pwd
  290. @session_id = -1
  291. end
  292. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!