API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 10th, 2017
111
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.26 KB | None | 0 0
raw download clone embed print report
  1. require "sqlite3"
  2. require "digest"
  3. require "securerandom"
  4.  
  5. # Anmol Srivastava | asrivas2 | 114101433 | TA: JT, 12 PM
  6.  
  7. # Things to fix - PART 1: (REMEMBER TO UPDATE DATA.DB IF YOU MAKE REAL CHANGES ON WEBSITE)
  8. # - Validate all command fields per BASH
  9. # - Validate all HTML
  10. # - If user not allowed to use method, no action and FALSE
  11. # - @shell_pwd, @controller_pwd, latter is project directory path
  12. # - all session tokens revoked when an account is deleted.
  13. # - shell use restricted to project directory and its contents
  14. # - cannot delete data.db, controller.rb, or main.rb - SEE DIR AND FILE CLASSES IN RUBY
  15. # - database only allows access to menu and user profiles, not session data, etc.
  16.  
  17. # Things to do - Part 2:
  18. # - salt hash thingy - expand
  19.  
  20. def non_injecting(str)
  21. if str =~ %r{;} or str =~ %r{--} or str =~ %r{<} or str =~ %r{>}
  22. return false
  23. end
  24. return true
  25. end
  26.  
  27. module Menu
  28. def create_menu(name)
  29. if non_injecting name and (authorize @session_id) != -1 then
  30. @db.execute_batch "INSERT INTO Menus (Name) VALUES(\"#{name}\")"
  31. else
  32. return false
  33. end
  34. end
  35.  
  36. def read_menu()
  37. menus = []
  38. @db.execute "SELECT RowID, Name FROM Menus" do |menu|
  39. id, name = menu[0], menu[1]
  40. menus << { :id => id, :name => name }
  41. end
  42. return menus
  43. end
  44.  
  45. def update_menu(id, name)
  46. if non_injecting name and (authorize @session_id) != -1 then
  47. @db.execute_batch "UPDATE Menus SET Name = \"#{name}\" WHERE RowID = #{id}"
  48. else
  49. return false
  50. end
  51. end
  52.  
  53. def delete_menu(id)
  54. if (authorize @session_id) != -1 then
  55. @db.execute_batch "DELETE FROM Menus WHERE RowID = #{id}"
  56. else
  57. return false
  58. end
  59. end
  60. end
  61.  
  62. module Item
  63. def create_item(menu, name, price, description)
  64. if non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  65. @db.execute_batch "INSERT INTO Items (Menu, Name, Price, Description) VALUES(#{menu}, \"#{name}\", #{price}, \"#{description}\")"
  66. else
  67. return false
  68. end
  69. end
  70.  
  71. def read_item()
  72. items = []
  73. @db.execute "SELECT RowID, Menu, Name, Price, Description FROM Items" do |item|
  74. id, menu, name, price, description = item[0], item[1], item[2], item[3], item[4]
  75. items << { :id => id, :menu => menu, :name => name, :price => price, :description => description }
  76. end
  77. return items
  78. end
  79.  
  80. def update_item(id, menu, name, price, description)
  81. if non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  82. @db.execute_batch "UPDATE Items SET Menu = #{menu}, Name = \"#{name}\", Price = #{price}, Description = \"#{description}\" WHERE RowID = #{id}"
  83. else
  84. return false
  85. end
  86. end
  87.  
  88. def delete_item(id)
  89. if (authorize @session_id) != -1 then
  90. @db.execute_batch "DELETE FROM Items WHERE RowID = #{id}"
  91. else
  92. return false
  93. end
  94. end
  95. end
  96.  
  97.  
  98. module User
  99. def create_user(name, password, admin, salary)
  100. if non_injecting name and non_injecting password and non_injecting salary and admin? @session_id then
  101. @db.execute_batch "INSERT INTO Users (Name, Password, Admin, Salary) VALUES(\"#{name}\", \"#{password}\", #{admin}, #{salary})"
  102. else
  103. return false
  104. end
  105. end
  106.  
  107. def read_user()
  108. users = []
  109. @db.execute "SELECT RowID, Name, Password, Admin, Salary FROM Users" do |user|
  110. id, name, password, admin, salary = user[0], user[1], user[2], user[3], user[4]
  111. users << {:id => id, :name => name, :password => password, :admin => admin, :salary => salary}
  112. end
  113. if not admin?(@session_id) then
  114. user_id = authorize(@session_id)
  115. users.select! { |u| u[:id] == user_id }
  116. end
  117. return users
  118. end
  119.  
  120. def update_user(id, name, password, admin, salary)
  121. if non_injecting name and non_injecting password and non_injecting salary and (authorize @session_id) != -1 then
  122. if admin? @session_id then
  123. @db.execute_batch "UPDATE Users SET " +
  124. "Name = \"#{name}\", Password = \"#{password}\", " +
  125. "Admin = #{admin}, Salary = #{salary} WHERE RowID = #{id}"
  126. else
  127. if (authorize @session_id) == id then
  128. @db.execute_batch "UPDATE Users SET " +
  129. "Name = \"#{name}\", Password = \"#{password}\" WHERE RowID = #{id}"
  130. else
  131. return false
  132. end
  133. end
  134. else
  135. return false
  136. end
  137. end
  138.  
  139. def delete_user(id)
  140. if authorize(@session_id) != id and admin? (@session_id) then
  141. @db.execute_batch "DELETE FROM Users WHERE RowID = #{id}"
  142. else
  143. return false
  144. end
  145. end
  146. end
  147.  
  148. module Access
  149. def create_session()
  150. random = Random.new
  151. session_id = random.rand(1000000000)
  152. @db.execute_batch "INSERT INTO Sessions (SessionID, UserID) VALUES(#{session_id}, -1)"
  153. return session_id
  154. end
  155.  
  156. def authenticate(name, password)
  157. if non_injecting name and non_injecting password then
  158. session_id = create_session()
  159. user = nil
  160.  
  161. @db.execute "SELECT RowID FROM Users WHERE Name = \"#{name}\" AND Password = \"#{password}\"" do |u|
  162. user_id = u[0]
  163. escalate(user_id, session_id)
  164. return session_id
  165. end
  166.  
  167. return -1
  168. end
  169. return false
  170. end
  171.  
  172. def escalate(user_id, session_id)
  173. @db.execute_batch "UPDATE Sessions SET UserID = #{user_id} WHERE SessionID = #{session_id}"
  174. end
  175.  
  176. def admin?(session_id)
  177. user_id = authorize(session_id)
  178. @db.execute "SELECT Admin FROM Users WHERE RowID = #{user_id}" do |user|
  179. admin = user[0]
  180. return admin == 1
  181. end
  182. return false
  183. end
  184.  
  185. def authorize(session_id)
  186. @db.execute "SELECT UserID FROM Sessions WHERE SessionID = #{session_id}" do |session|
  187. user_id = session[0]
  188. return user_id
  189. end
  190. return -1
  191. end
  192.  
  193. def delete_session(session_id)
  194. @db.execute_batch "DELETE FROM Sessions WHERE SessionID = #{session_id}"
  195. end
  196.  
  197. def guard(page)
  198. if page == :dashboard and admin? @session_id then
  199. return true
  200. end
  201. if page == :menu and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  202. return true
  203. end
  204. if page == :users and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  205. return true
  206. end
  207. return false
  208. end
  209. end
  210.  
  211. module Terminal
  212. def shell(command)
  213. # Commands that = bad: deleting data.db, main.rb, controller.rb, or going out of p. dir./content
  214. if admin? @session_id then
  215. # navigate to the correct shell directory
  216. Dir.chdir @shell_pwd
  217.  
  218. # if command is `cd` then navigate to and save the shell's new pwd
  219. if command =~ /cd\W+((?:[^\/]*\/)*.*)/ then
  220. if not $1 == "" then
  221. Dir.chdir $1
  222. else
  223. Dir.chdir command[3..-1]
  224. end
  225.  
  226. @shell_pwd = Dir.pwd # update the shell directory
  227. Dir.chdir @controller_pwd # return to the controller's home directory
  228. return ""
  229. # otherwise execute the command
  230. else
  231. output = `#{command}`
  232. Dir.chdir @controller_pwd # return to the controller's home directory
  233. return output
  234. end
  235. end
  236. return false
  237. end
  238. end
  239.  
  240. #
  241. # NOTICE: You DO NOT need to modify anything below this point.
  242. # Modifications below this point may cause you to FAIL
  243. # our tests.
  244. #
  245.  
  246. module Util
  247. def collate_menus()
  248. menus = []
  249. result = { :menus => menus }
  250. id_to_name = {}
  251.  
  252. read_menu.each do |menu|
  253. id, name = menu[:id], menu[:name]
  254. id_to_name[id] = name
  255. menus << { :name => name, :items => [] }
  256. end
  257.  
  258. read_item.each do |item|
  259. menu, name, price, description = item[:menu], item[:name], item[:price], item[:description]
  260. (menus.find { |m| m[:name] == id_to_name[menu] })[:items] << { :name => name, :price => price, :description => description }
  261. end
  262.  
  263. return result
  264. end
  265. end
  266.  
  267. class Controller
  268. include Menu
  269. include Item
  270. include User
  271. include Access
  272. include Terminal
  273. include Util
  274.  
  275. attr_accessor :session_id, :shell_pwd
  276. attr_reader :db, :controller_pwd
  277.  
  278. def initialize()
  279. @db = SQLite3::Database.new "data.db"
  280. @shell_pwd = Dir.pwd
  281. @controller_pwd = Dir.pwd
  282. @session_id = -1
  283. end
  284. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!