From e5c6ce982787390a9a0192a5e59ce4f1c76f618b Mon Sep 17 00:00:00 2001 From: Zero Tang Date: Mon, 15 Mar 2021 03:16:25 +0800 Subject: [PATCH] Limit malicious requests from backend Added 400 and 404 pages and corresponding handlers. Added additional checks for any incoming HTTP requests that have input parameters. --- pserver.py | 131 ++++++++++++++++++++++++++------------------- readme.md | 4 +- templates/400.html | 8 +++ templates/404.html | 8 +++ 4 files changed, 93 insertions(+), 58 deletions(-) create mode 100644 templates/400.html create mode 100644 templates/404.html diff --git a/pserver.py b/pserver.py index 6a16149..3d884ee 100644 --- a/pserver.py +++ b/pserver.py @@ -1,4 +1,4 @@ -from flask import Flask, render_template, request, send_file, jsonify +from flask import Flask, render_template, request, send_file, jsonify, abort import zipfile import json import time @@ -15,74 +15,93 @@ def runSimulation(input1): # Parse simulation parameters. Param = input1.split("&") # Parameters are separated by '&' delimiter. print(Param) - ddd_state = (Param[0] == "true") - skip_sim = (Param[1] == "true") - sumOut = (Param[2] == "true") - logOut = (Param[3] == "true") + # Check parameter count. + if len(Param)==24: # VERY-IMPORTANT: Modify here if there are changes to total number of requests! + ddd_state = (Param[0] == "true") + skip_sim = (Param[1] == "true") + sumOut = (Param[2] == "true") + logOut = (Param[3] == "true") - packet_size = int(Param[4]) - rtsa = int(Param[5]) - max_queue_size = int(Param[6]) - ddd_mapping_delay = int(Param[7]) - propagation_delay = int(Param[8]) - number_of_ddd_ports = int(Param[9]) - time_to_next_ddd_port = int(Param[10]) - overlap_time_old_ddd = int(Param[11]) - durationSim = float(Param[12]) - numbSynAckResends = int(Param[13]) - clienttoRouter = int(Param[14]) - routertoClient = int(Param[15]) - routertoReflector = int(Param[16]) - routertoNormal = int(Param[17]) - normaltoRouter = int(Param[18]) - reflectortoRouter = int(Param[19]) - attackertoReflector = int(Param[20]) - queueLimit = int(Param[21]) - attackerType = float(Param[22]) - amplification = float(Param[23]) + packet_size = int(Param[4]) + rtsa = int(Param[5]) + max_queue_size = int(Param[6]) + ddd_mapping_delay = int(Param[7]) + propagation_delay = int(Param[8]) + number_of_ddd_ports = int(Param[9]) + time_to_next_ddd_port = int(Param[10]) + overlap_time_old_ddd = int(Param[11]) + durationSim = float(Param[12]) + numbSynAckResends = int(Param[13]) + clienttoRouter = int(Param[14]) + routertoClient = int(Param[15]) + routertoReflector = int(Param[16]) + routertoNormal = int(Param[17]) + normaltoRouter = int(Param[18]) + reflectortoRouter = int(Param[19]) + attackertoReflector = int(Param[20]) + queueLimit = int(Param[21]) + attackerType = float(Param[22]) + amplification = float(Param[23]) - response = main.runSimulation(ddd_state, skip_sim, sumOut, - logOut, packet_size, rtsa, - max_queue_size, ddd_mapping_delay, - propagation_delay, number_of_ddd_ports, - time_to_next_ddd_port, overlap_time_old_ddd, - durationSim, numbSynAckResends, clienttoRouter, - routertoClient, routertoReflector, routertoNormal, - normaltoRouter, reflectortoRouter, - attackertoReflector, queueLimit, attackerType, - amplification) + response = main.runSimulation(ddd_state, skip_sim, sumOut, + logOut, packet_size, rtsa, + max_queue_size, ddd_mapping_delay, + propagation_delay, number_of_ddd_ports, + time_to_next_ddd_port, overlap_time_old_ddd, + durationSim, numbSynAckResends, clienttoRouter, + routertoClient, routertoReflector, routertoNormal, + normaltoRouter, reflectortoRouter, + attackertoReflector, queueLimit, attackerType, + amplification) - print('Backend Simulation Total Elapsed Time:', time.time() - start_time, 'seconds') + print('Backend Simulation Total Elapsed Time:', time.time() - start_time, 'seconds') - # Converting response data structure into json string - return jsonify(response) + # Converting response data structure into json string + return jsonify(response) + else: + abort(400) @app.route('/download/') # This is the endpoint that the javascript code will call to run simulation on server def download(fileName): - if fileName.startswith("log"): - return send_file("logs\\" + fileName, as_attachment=True) - elif fileName.startswith("summary"): - return send_file("summaries\\" + fileName, as_attachment=True) + try: + if fileName.startswith("log"): + return send_file("logs\\" + fileName, as_attachment=True) + elif fileName.startswith("summary"): + return send_file("summaries\\" + fileName, as_attachment=True) + else: + abort(400) + except FileNotFoundError: + abort(404) @app.route('/download2/') def download2(statement): - fileName = "" - newName = "" - for i in range(0, len(statement)): - # Search for delimiter. - if(statement[i] == '&'): - # Construct file names... - fileName = statement[:i] - newName = statement[i+1:] - break - # Things are over. - if fileName.startswith("log"): - return send_file("logs\\" + fileName, as_attachment=True, attachment_filename=newName) - elif fileName.startswith("summary"): - return send_file("summaries\\" + fileName, as_attachment=True, attachment_filename=newName) + # We may use split function to process the request. + tmp = statement.split("&") + fileName = tmp[0] + newName = tmp[1] + if len(tmp)==2: + try: + if fileName.startswith("log"): + return send_file("logs\\" + fileName, as_attachment=True, attachment_filename=newName) + elif fileName.startswith("summary"): + return send_file("summaries\\" + fileName, as_attachment=True, attachment_filename=newName) + else: + abort(400) + except FileNotFoundError: + abort(404) + else: + abort(400) @app.route('/') def index(): return render_template('temp_index.html') # This renders index.html as the starting screen + +@app.errorhandler(400) +def badRequest(e): + return render_template("400.html"), 400 + +@app.errorhandler(404) +def pageNotFound(e): + return render_template("404.html"), 404 \ No newline at end of file diff --git a/readme.md b/readme.md index 013dc33..dffa6c3 100644 --- a/readme.md +++ b/readme.md @@ -4,9 +4,9 @@ Group 22 in 2020-2021 CSE SDP is assigned to make a simulator and visualization ## Installing flask: There are two options to get started on Windows. -### Option 1: Get Started for Flask on Windows with Python for Windows. +### Option 1: Get Started for Flask on Windows with Python for Windows. (Recommended!) The essential thing to get started is to install `Python` and then to install `flask`. Due to the versioning issues of `Python`, please make sure you are installing the correct version. We recommend installing `Python` via the official website: https://www.python.org/downloads/
-As an additional note, Windows 7 is no longer supported in `3.9.x` version of `Python`. Please download the [3.8.7 version](https://www.python.org/downloads/release/python-387/) in case you are using Windows 7. +As an additional note, Windows 7 is no longer supported in `3.9.x` version of `Python`. Please download the [3.8.8 version](https://www.python.org/downloads/release/python-388/) in case you are using Windows 7. Follow these steps to get started: diff --git a/templates/400.html b/templates/400.html new file mode 100644 index 0000000..c6b51aa --- /dev/null +++ b/templates/400.html @@ -0,0 +1,8 @@ + + + +

Request Error

+

Further details: Error 400. Bad Request.

+

Check your URL! Either your URL does not meet our syntax, or you are not request correct thing at all!

+ + \ No newline at end of file diff --git a/templates/404.html b/templates/404.html new file mode 100644 index 0000000..68ca42f --- /dev/null +++ b/templates/404.html @@ -0,0 +1,8 @@ + + + +

Request Error

+

Further details: Error 404. Page Not Found.

+

Check your URL! You are making an incorrect request!

+ + \ No newline at end of file