Merge branch 'master' into handle-user-payloads

uruwhy · web-flow · commit 86360bcebe3c · 2026-05-13T19:40:13.000Z
diff --git a/app/api/rest_api.py b/app/api/rest_api.py
@@ -89,7 +89,6 @@ async def rest_core(self, request):
                     operation_report=lambda d: self.rest_svc.display_operation_report(d),
                     result=lambda d: self.rest_svc.display_result(d),
                     contact=lambda d: self.rest_svc.download_contact_report(d),
-                    configuration=lambda d: self.rest_svc.update_config(d),
                     link=lambda d: self.rest_svc.get_potential_links(**d),
                     operation=lambda d: self.rest_svc.update_operation(**d),
                     task=lambda d: self.rest_svc.task_agent_with_ability(**d),
@@ -103,8 +102,14 @@ async def rest_core(self, request):
             return web.json_response(await options[request.method][index](data))
         except ma.ValidationError as e:
             raise web.HTTPBadRequest(content_type='application/json', text=json.dumps(e.messages))
+        except TypeError as e:
+            self.log.error(repr(e), exc_info=True)
+            error_msg = dict(error='400: Bad Request')
+            raise web.HTTPBadRequest(text=json.dumps(error_msg), content_type='application/json')
         except Exception as e:
             self.log.error(repr(e), exc_info=True)
+            error_msg = dict(error='500: Internal Server Error')
+            raise web.HTTPInternalServerError(text=json.dumps(error_msg), content_type='application/json')
 
     @check_authorization
     async def rest_core_info(self, request):
diff --git a/app/service/interfaces/i_rest_svc.py b/app/service/interfaces/i_rest_svc.py
@@ -107,10 +107,6 @@ def get_link_pin(self, json_data):
     def construct_agents_for_group(self, group):
         raise NotImplementedError
 
-    @abc.abstractmethod
-    def update_config(self, data):
-        raise NotImplementedError
-
     @abc.abstractmethod
     def update_operation(self, op_id, state, autonomous):
         raise NotImplementedError
diff --git a/app/service/rest_svc.py b/app/service/rest_svc.py
@@ -269,16 +269,6 @@ async def construct_agents_for_group(self, group):
             return await self.get_service('data_svc').locate('agents', match=dict(group=group))
         return await self.get_service('data_svc').locate('agents')
 
-    async def update_config(self, data):
-        if data.get('prop') == 'plugin':
-            enabled_plugins = self.get_config('plugins')
-            new_plugin = data.get('value')
-            if new_plugin not in enabled_plugins:
-                enabled_plugins.append(new_plugin)
-        elif data.get('prop') != 'requirements':  # Prevent users from editing requirements via API.
-            self.set_config('main', data.get('prop'), data.get('value'))
-        return self.get_config()
-
     async def update_operation(self, op_id, state=None, autonomous=None, obfuscator=None):
         async def validate(op):
             try:
diff --git a/requirements.txt b/requirements.txt
@@ -18,7 +18,7 @@ ldap3==2.9.1
 pyasn1==0.6.3
 reportlab==4.0.4  # debrief
 rich==13.7.0
-lxml==6.0.2  # debrief
+lxml==6.1.0  # debrief
 svglib==1.5.1  # debrief
 Markdown==3.8.1  # training
 dnspython==2.6.1
diff --git a/tests/objects/test_link.py b/tests/objects/test_link.py
@@ -41,10 +41,12 @@ def test_link_eq(self, ability, executor):
         test_executor = executor(name='psh', platform='windows')
         test_ability = ability(ability_id='123', executors=[test_executor])
         fact = Fact(trait='remote.host.fqdn', value='dc')
-        test_link = Link(command='sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"',
+        # sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"
+        test_link = Link(command='c2MuZXhlIFxcZGMgY3JlYXRlIHNhbmRzdmMgYmlucGF0aD0gInM0bmRjNHQuZXhlIC1vcmlnaW5MaW5rSUQgMTExMTExIg==',
                          paw='123456', ability=test_ability, id=111111, executor=test_executor)
         test_link.used = [fact]
-        test_link2 = Link(command='sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 222222"',
+        # sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 222222"
+        test_link2 = Link(command='c2MuZXhlIFxcZGMgY3JlYXRlIHNhbmRzdmMgYmlucGF0aD0gInM0bmRjNHQuZXhlIC1vcmlnaW5MaW5rSUQgMjIyMjIyIg==',
                           paw='123456', ability=test_ability, id=222222, executor=test_executor)
         test_link2.used = [fact]
         assert test_link == test_link2
@@ -54,31 +56,36 @@ def test_link_neq(self, ability, executor):
         test_ability = ability(ability_id='123', executors=[test_executor])
         fact_a = Fact(trait='host.user.name', value='a')
         fact_b = Fact(trait='host.user.name', value='b')
-        test_link_a = Link(command='net user a', paw='123456', ability=test_ability, id=111111, executor=test_executor)
+        # net user a
+        test_link_a = Link(command='bmV0IHVzZXIgYQ==', paw='123456', ability=test_ability, id=111111, executor=test_executor)
         test_link_a.used = [fact_a]
-        test_link_b = Link(command='net user b', paw='123456', ability=test_ability, id=222222, executor=test_executor)
+        # net user b
+        test_link_b = Link(command='bmV0IHVzZXIgYg==', paw='123456', ability=test_ability, id=222222, executor=test_executor)
         test_link_b.used = [fact_b]
         assert test_link_a != test_link_b
 
     @mock.patch.object(Link, '_emit_status_change_event')
     def test_no_status_change_event_on_instantiation(self, mock_emit_status_change_method, ability, executor):
         executor = executor('psh', 'windows')
         ability = ability(executor=executor)
-        Link(command='net user a', paw='123456', ability=ability, executor=executor)
+        # net user a
+        Link(command='bmV0IHVzZXIgYQ==', paw='123456', ability=ability, executor=executor)
         mock_emit_status_change_method.assert_not_called()
 
     @mock.patch.object(Link, '_emit_status_change_event')
     def test_status_change_event_fired_on_status_change(self, mock_emit_status_change_method, ability, executor):
         executor = executor('psh', 'windows')
         ability = ability(executor=executor)
-        link = Link(command='net user a', paw='123456', ability=ability, executor=executor, status=-3)
+        # net user a
+        link = Link(command='bmV0IHVzZXIgYQ==', paw='123456', ability=ability, executor=executor, status=-3)
         link.status = -5
         mock_emit_status_change_method.assert_called_with(from_status=-3, to_status=-5)
 
     def test_emit_status_change_event(self, event_loop, fake_event_svc, ability, executor):
         executor = executor('psh', 'windows')
         ability = ability(executor=executor)
-        link = Link(command='net user a', paw='123456', ability=ability, executor=executor, status=-3)
+        # net user a
+        link = Link(command='bmV0IHVzZXIgYQ==', paw='123456', ability=ability, executor=executor, status=-3)
         fake_event_svc.reset()
 
         event_loop.run_until_complete(
@@ -99,7 +106,8 @@ def test_emit_status_change_event(self, event_loop, fake_event_svc, ability, exe
     def test_link_agent_reported_time_not_present_when_none_roundtrip(self, ability, executor):
         test_executor = executor(name='psh', platform='windows')
         test_ability = ability(ability_id='123')
-        test_link = Link(command='sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"',
+        # sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"
+        test_link = Link(command='c2MuZXhlIFxcZGMgY3JlYXRlIHNhbmRzdmMgYmlucGF0aD0gInM0bmRjNHQuZXhlIC1vcmlnaW5MaW5rSUQgMTExMTExIg==',
                          paw='123456', ability=test_ability, executor=test_executor, id=111111)
         serialized_link = test_link.display
         loaded_link = Link.load(serialized_link)
@@ -111,7 +119,8 @@ def test_link_agent_reported_time_present_when_set_roundtrip(self, ability, exec
         agent_reported_time = '2021-02-23T11:50:16Z'
         test_executor = executor(name='psh', platform='windows')
         test_ability = ability(ability_id='123')
-        test_link = Link(command='sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"',
+        # sc.exe \\dc create sandsvc binpath= "s4ndc4t.exe -originLinkID 111111"
+        test_link = Link(command='c2MuZXhlIFxcZGMgY3JlYXRlIHNhbmRzdmMgYmlucGF0aD0gInM0bmRjNHQuZXhlIC1vcmlnaW5MaW5rSUQgMTExMTExIg==',
                          paw='123456', ability=test_ability, executor=test_executor, id=111111,
                          agent_reported_time=BaseService.get_timestamp_from_string(agent_reported_time))
         serialized_link = test_link.display
@@ -126,7 +135,8 @@ def test_link_knowledge_svc_synchronization(self, event_loop, executor, ability,
         fact = Fact(trait='remote.host.fqdn', value='dc')
         fact2 = Fact(trait='domain.user.name', value='Bob')
         relationship = Relationship(source=fact, edge='has_admin', target=fact2)
-        test_link = Link(command='echo "this was a triumph"',
+        # echo "this was a triumph"
+        test_link = Link(command='ZWNobyAidGhpcyB3YXMgYSB0cml1bXBoIg==',
                          paw='123456', ability=test_ability, id=111111, executor=test_executor)
         event_loop.run_until_complete(test_link.create_relationships([relationship], None))
         checkable = [(x.trait, x.value) for x in test_link.facts]
@@ -144,16 +154,17 @@ def test_create_relationship_source_fact(self, event_loop, ability, executor, op
         fact1 = Fact(trait='remote.host.fqdn', value='dc')
         fact2 = Fact(trait='domain.user.name', value='Bob')
         relationship = Relationship(source=fact1, edge='has_admin', target=fact2)
-        link1 = Link(command='echo "Bob"', paw='123456', ability=test_ability, id='111111', executor=test_executor)
+        # echo "Bob"
+        link1 = Link(command='ZWNobyAiQm9iIg==', paw='123456', ability=test_ability, id='111111', executor=test_executor)
         operation = operation(name='test-op', agents=[],
                               adversary=Adversary(name='sample', adversary_id='XYZ', atomic_ordering=[],
                                                   description='test'),
                               source=Source(id='test-source', facts=[fact1]))
         event_loop.run_until_complete(data_svc.store(operation.source))
         event_loop.run_until_complete(operation._init_source())
         event_loop.run_until_complete(link1.create_relationships([relationship], operation))
-
-        link2 = Link(command='echo "Bob"', paw='789100', ability=test_ability, id='222222', executor=test_executor)
+        # echo "Bob"
+        link2 = Link(command='ZWNobyAiQm9iIg==', paw='789100', ability=test_ability, id='222222', executor=test_executor)
         event_loop.run_until_complete(link2.create_relationships([relationship], operation))
 
         fact_store_operation_source = event_loop.run_until_complete(knowledge_svc.get_facts(dict(source=operation.source.id)))
@@ -168,7 +179,8 @@ def test_save_discover_seeded_fact_not_in_command(self, event_loop, ability, exe
         fact1 = Fact(trait='remote.host.fqdn', value='dc')
         fact2 = Fact(trait='domain.user.name', value='Bob')
         relationship = Relationship(source=fact1, edge='has_user', target=fact2)
-        link = Link(command='net user', paw='123456', ability=test_ability, id='111111', executor=test_executor)
+        # net user
+        link = Link(command='bmV0IHVzZXI=', paw='123456', ability=test_ability, id='111111', executor=test_executor)
         operation = operation(name='test-op', agents=[],
                               adversary=Adversary(name='sample', adversary_id='XYZ', atomic_ordering=[],
                                                   description='test'),
diff --git a/tests/services/test_rest_svc.py b/tests/services/test_rest_svc.py
@@ -125,28 +125,6 @@ def test_delete_operation(self, event_loop, rest_svc, data_svc):
         event_loop.run_until_complete(internal_rest_svc.delete_operation(delete_criteria))
         assert event_loop.run_until_complete(data_svc.locate('operations', match=dict(id=operation_id))) == []
 
-    def test_update_config(self, event_loop, data_svc, rest_svc):
-        internal_rest_svc = rest_svc(event_loop)
-        # check that an ability reflects the value in app. property
-        pre_ability = event_loop.run_until_complete(data_svc.locate('abilities', dict(ability_id='123')))
-        assert '0.0.0.0' == BaseWorld.get_config('app.contact.http')
-        assert 'curl 0.0.0.0' == next(pre_ability[0].executors).test
-
-        # update property
-        event_loop.run_until_complete(internal_rest_svc.update_config(data=dict(prop='app.contact.http', value='127.0.0.1')))
-
-        # verify ability reflects new value
-        post_ability = event_loop.run_until_complete(data_svc.locate('abilities', dict(ability_id='123')))
-        assert '127.0.0.1' == BaseWorld.get_config('app.contact.http')
-        assert 'curl 127.0.0.1' == next(post_ability[0].executors).test
-
-    def test_update_config_plugin(self, event_loop, rest_svc):
-        internal_rest_svc = rest_svc(event_loop)
-        # update plugin property
-        assert ['sandcat', 'stockpile'] == BaseWorld.get_config('plugins')
-        event_loop.run_until_complete(internal_rest_svc.update_config(data=dict(prop='plugin', value='ssl')))
-        assert ['sandcat', 'stockpile', 'ssl'] == BaseWorld.get_config('plugins')
-
     def test_create_operation(self, event_loop, rest_svc, data_svc):
         want = {'name': 'Test',
                 'adversary': {'description': 'an empty adversary profile', 'name': 'ad-hoc', 'adversary_id': 'ad-hoc',
diff --git a/tests/web_server/test_core_endpoints.py b/tests/web_server/test_core_endpoints.py
@@ -110,24 +110,6 @@ async def test_invalid_request(aiohttp_client, authorized_cookies, sample_agent)
     assert messages == dict(sleep_min=['Not a valid integer.'])
 
 
-async def test_command_overwrite_failure(aiohttp_client, authorized_cookies):
-    resp = await aiohttp_client.post('/api/rest',
-                                     cookies=authorized_cookies,
-                                     json=dict(index='configuration',
-                                               prop='requirements',
-                                               value=dict(go=dict(command='this should not get written',
-                                                                  type='installed program',
-                                                                  version='1.11',),
-                                                          python=dict(attr='version',
-                                                                      module='sys',
-                                                                      type='python_module',
-                                                                      version='3.11.0'))))
-
-    assert resp.status == HTTPStatus.OK
-    config_dict = await resp.json()
-    assert config_dict.get('requirements', dict()).get('go', dict()).get('command') == 'go version'
-
-
 async def test_custom_rejecting_login_handler(aiohttp_client):
     class RejectAllLoginHandler(LoginHandlerInterface):
         def __init__(self, services):
