from flask import Flask, render_template, request, redirect, session
import sqlite3
import sys
from app import app
database = 'webstore.db'
def generate_csrf_token():
if 'csrf_token' not in session:
session['csrf_token'] = str(random.randint(1000, 9999))
return session['csrf_token']
### Implementing fix for CSRF:
# def check_csrf():
# if session["csrf_token"] != request.form["csrf_token"]:
# return False
###
@app.route('/')
def index():
if 'username' in session:
return redirect('/store')
else:
return redirect('/login')
@app.route('/register', methods=['GET', 'POST'])
def register():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
### Implementing a fix for the cryptographic failures:
# salt = bcrypt.gensalt()
# password = bcrypt.hashpw(password.encode('utf-8'), salt)
###
### Implementing a fix for the identification and authentication failures:
# if len(username) < 6:
# return "Error: Username must be at least 6 characters long."
# if len(password) < 8:
# return "Error: Password must be at least 8 characters long."
# if password.isalpha() or password.isdigit():
# return "Error: Password must contain a combination of letters and numbers."
###
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
existing_user = cursor.fetchone()
if existing_user:
return render_template('register.html', error='Username already taken')
### Implementing fix for broken access control:
# cursor.execute("INSERT INTO users (username, password, guest) VALUES (?, ?, ?)",
# (username, password, guest))
###
cursor.execute("INSERT INTO users (username, password) VALUES (?, ?)",
(username, password))
connection.commit()
connection.close()
return redirect('/login')
return render_template('register.html')
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
### Implementing a fix for the SQL injection vulnerability.
# conn = sqlite3.connect('database.db')
# cursor = conn.cursor()
# query = "SELECT * FROM users WHERE username = ? AND password = ?"
# cursor.execute(query, (username, password))
###
# SQL injection vulnerability
db = sqlite3.connect(database)
cursor = db.cursor()
query = "SELECT * FROM users WHERE username = '{}' AND password = '{}'".format(username, password)
user = db.execute(query)
if user:
session['username'] = username
return redirect('/store')
else:
return render_template('login.html', error='Invalid username or password')
return render_template('login.html')
# Store page
@app.route('/store')
def store():
if 'username' in session:
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("SELECT id, name, price FROM Products")
products = cursor.fetchall()
connection.close()
products = list(products)
return render_template('store.html', username=session['username'], products=products)
return redirect('/login')
@app.route('/cart')
def cart():
if 'username' in session:
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("SELECT * FROM History WHERE username = ?", (session['username'],))
cart_items = cursor.fetchall()
connection.close()
return render_template('cart.html', username=session['username'], cart=cart_items)
return redirect('/login')
@app.route('/add_to_cart/<int:product_id>')
def add_to_cart(product_id):
if 'username' in session:
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("SELECT * FROM Products WHERE id = ?", (product_id,))
product = cursor.fetchone()
if product:
cursor.execute("INSERT INTO History (username, product_name, price) VALUES (?, ?, ?)",
(session['username'], product[1], product[2]))
connection.commit()
connection.close()
return redirect('/store')
# Missing CSRF token validation
@app.route('/remove_from_cart/<int:item_id>')
def remove_from_cart(item_id):
if 'username' in session:
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("DELETE FROM History WHERE id = ?", (item_id,))
connection.commit()
connection.close()
return redirect('/cart')
@app.route('/logout')
def logout():
session.pop('username', None)
return redirect('/login')
@app.route('/admin')
def admin():
### Implementing fix for broken access control:
# if 'admin' in session:
# return render_template('admin.html')
# else:
# return render_template('/')
###
return render_template('admin.html')
@app.route('/admin/add_product', methods=['POST'])
def add_product():
name = request.form['product_name']
price = request.form['price']
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("INSERT INTO Products (name, price) VALUES (?, ?)",
(name, price))
connection.commit()
connection.close()
return redirect('/admin')
@app.route('/checkout')
def checkout():
if 'username' in session:
connection = sqlite3.connect(database)
cursor = connection.cursor()
cursor.execute("DELETE FROM History")
connection.commit()
connection.close()
return redirect('/store')