CTFs as you need them
APACHE-2.0 License
Published by ColdHeat over 4 years ago
General
API
/api/v1/challenges?view=admin
to allow admin users to see all challenges regardless of their visibility state/api/v1/users?view=admin
to allow admin users to see all users regardless of their hidden/banned state/api/v1/teams?view=admin
to allow admin users to see all teams regardless of their hidden/banned state/api/v1/scoreboard
is now significantly more performant (20x) due to better response generation/api/v1/scoreboard/top/<count>
is now more performant (3x) due to better response generation/api/v1/scoreboard
will no longer show hidden/banned users in a non-hidden teamDeployment
docker-compose
now provides a basic nginx configuration and deploys nginx on port 80Dockerfile
now installs python3
and python3-dev
instead of python
and python-dev
because Alpine no longer provides those dependenciesMiscellaneous
get_config
and get_page
config utilities now use SQLAlchemy Core instead of SQLAlchemy ORM for slight speedupsget_team_standings
and get_user_standings
functions now return more data (id, oauth_id, name, score for regular users and banned, hidden as well for admins)%
signs in database passwords.Published by ColdHeat over 4 years ago
Miscellaneous
gunicorn
dependency to 19.10.0
boto3
dependency to 1.13.9
import_ctf()
reliability by closing all connections before dropping & recreating databasedb
folderimport_ctf()
process slightly to import built-in tables first and then plugin tablesAPI
DELETE /api/v1/files/[file_id]
) will now correctly delete the associated filePlugins
CTFd.plugins.get_plugin_names()
to get a list of available pluginsCTFd.plugins.migrations.current()
to get the current revision of a plugin migrationCTFd.plugins.migrations.upgrade()
to be able to upgrade to a specific plugin migrationThemes
scoreboard.js
Admin Panel
Published by ColdHeat over 4 years ago
Admin Panel
Plugins
CTFd.plugins.migrations
module to allow plugins to handle migrations. Plugins should now call CTFd.plugins.migrations.upgrade
instead of app.db.create_all
which will allow the plugin to have database migrations.Miscellaneous
app.plugins_dir
object to refer to the directory where plugins are installedPublished by ColdHeat over 4 years ago
Admin Panel
Miscellaneous
SQLALCHEMY_ENGINE_OPTIONS
to config.py
with a slightly higher default max_overflow
setting for SQLALCHEMY_MAX_OVERFLOW
. This can be overridden with the SQLALCHEMY_MAX_OVERFLOW
envvarnode_modules/
to .dockerignore
Published by ColdHeat over 4 years ago
General
flask_restplus
with flask_restx
datafreeze
, normality
, and banal
dependencies in favor of in-repo solutions to exporting databaseAdmin Panel
Themes
python manage.py build jsenums
.min-vh-*
and .opacity-*
).spinner-error
CSS classis_admin()
Miscellaneous
get_config
from CTFd.models
EmailMessage
Faker
library for populate.py
instead of hardcoded datayarn lint
command to run eslint on JS filesPublished by ColdHeat over 4 years ago
General
API
POST /api/v1/unlocks
will no longer allow duplicate unlocks to happenAdmin Panel
Account Visibility
subtext clearer by explaining the Private
setting in Config PanelThemes
Miscellaneous
Published by ColdHeat over 4 years ago
General
TEAMS_MODE
API
/api/v1/statistics/users
route to be admins_only/api/v1/awards
, CTFd will look up a user's team ID if team_id
is not specifiedAdmin Panel
Themes
core
theme stores the initial value of inputs as a data
attribute and checks for changes when updating data. This should be a temporary hack until a proper front-end framework is in place.ezToast()
issue that was keeping toast messages visible indefinitelymodal-body
parameters in ezq.js for ezAlert
and ezQuery
and fix the progress bar for certain cases in ezProgressBar
authed()
function to check if user is authed in base.html
. This fixes an issue where a page could look as if the user was logged in.Miscellaneous
REVERSE_PROXY
config setting when set to a boolean instead of a stringDockerfile
to run fewer commands and re-use the build cachemake coverage
to generate an HTML coverage reportcoverage
and pytest-cov
development dependenciesPublished by ColdHeat over 4 years ago
General
Published by ColdHeat over 4 years ago
General
views.custom_css
route has been removed.manage.py
script can now manipulate the CTFd Configs table via the get_config
and set_config
commands. (e.g. python manage.py get_config ctf_theme
and python manage.py set_config ctf_theme core
)Themes
theme_header
and theme_footer
configs instead of the views.custom_css
endpoint to allow for user customizations. See the base.html
file of the core theme.Plugins
ezq
functions available to CTFd.js
under CTFd.ui.ezq
Miscellaneous
isort
and import order enforcedPublished by ColdHeat almost 5 years ago
All CTFd administrators are recommended to take the following steps:
SECRET_KEY
valueSecurity
General
Published by ColdHeat almost 5 years ago
General
Published by ColdHeat almost 5 years ago
General
Published by ColdHeat almost 5 years ago
2.2.0 focuses on updating the front end of CTFd to use more modern programming practices and changes some aspects of core CTFd design. If your current installation is using a custom theme or custom plugin with any kind of JavaScript, it is likely that you will need to upgrade that theme/plugin to be useable with v2.2.0.
General
API
DELETE /api/v1/teams/[team_id]/members
) from the admin panel will now delete the removed members's Submissions, Awards, UnlocksAdmin Panel
Themes
d
GET parameter that changes per server start. Used to bust browser caches.defer
for script tags to not block page renderingezToast()
function to use Bootstrap's toasts
Deployment
Dockerfile
from python:2.7-alpine
to python:3.7-alpine
SERVER_SENT_EVENTS
config value to control whether Notifications are enabledPlugins
register_plugin_assets_directory()
and register_plugin_asset()
to control what endpoint Flask uses for the added routeMiscellaneous
CTFd.utils.email.sendmail()
now allows the caller to specify subject as an argument
CTFd.utils.formatters.safe_format()
functionPublished by ColdHeat about 5 years ago
General
flask run
debug server by not monkey patching in wsgi.py
API
Published by ColdHeat about 5 years ago
General
Teams Mode
on the team pages and user pages now correctly excludes hidden teamsUsers.get_place()
and Teams.get_place()
for return None instead of 0 if the account has no rank/placeThemes
id='submit'
on submit buttons in various theme filestabindex
to 0 since we don't really care for forcing tab orderstatistics.js
to graphs.js
in the Admin Panel as it was identified that adblockers can sometimes block the fileAPI
/api/v1/teams/me
) will now return 403 instead of 400 if the requesting user is not the captainPublished by ColdHeat over 5 years ago
General
view_after_ctf
is enabled/team
instead of /challenges
after a user registers in team modehidden
weren't loadingdata-href
from pages.html
in the Admin Panel to fix the delete buttonupdate()
. They now correctly point to the user instead of undefined when in user mode.utils._get_config
will now return KeyError
instead of None
to avoid cache missesDeployment
/dev/shm
for --worker-tmp-dir
in gunicorn in Dockerget_place
code for users and teams.Flask-DebugToolbar
in development/scoreboard
page to avoid having to rebuild the response so oftenctfd
user usable for mysql connection in docker-compose by having the db image create the database instead of CTFdAPI
/api/v1/teams/[team_id]/members
from taking id
to user_id
.
account_type
and account_url
field in /api/v1/scoreboard
/api/v1/[users,teams]/[me,id]/[solves,fails,awards]
into seperate API endpointsExports
import_ctf()
cache_timeout
parameter to send_file
response in /admin/export
to prevent the browser from caching the exportTests
Published by ColdHeat over 5 years ago
General
/api/v1/[users,teams]/[me]/[solves,fails,awards]
endpoints load as admin so users can see their solves after freeze/api/v1/challenges/[id]/solves
only show solves before freeze time
?preview=true
GET parameter for admins to preview challenges solves as a userTests
prettier
: prettier --write 'CTFd/themes/**/*'
black
: black CTFd
and black tests
make lint
and thus Travis now include the above commands as lint checksPublished by ColdHeat over 5 years ago
General
/api/v1/challenges
and /api/v1/challenges/[id]
without having a team to fix challenge previewspopulate.py
to assign captains to teams.Models
Challenges.flags
relationship and moved the Flags.challenge
relationship to a backref on Challengesondelete='CASCADE'
to most ForeignKeys in models allowing for deletions to remove associated data
Hints
should be deleted when their Challenge is deletedTags
should be deleted when their Challenge is deletedFlags
should be deleted when their Challenge is deletedChallengeFiles
should be deleted when their Challenge is deleted
Awards
should be deleted when their user or team is deletedUnlocks
should be deleted when their user or team is deletedTracking
should be deleted when their user or team is deletedTeams.captain_id
should be set to NULL when the captain user is deletedExports
db.create_all()
to happen for imports on sqlite
or on failure to create missing tablesctf_theme
to be set to core
in imports in case a theme is missing from the import or the instanceDeployment
Published by ColdHeat over 5 years ago
General
/events
endpoint
/files/<path>
now accepts a ?token=
parameter which is a serialized version of {user_id: <>, team_id: <>, file_id: <>}
curl
or wget
(i.e. without cookie authentication)/api/v1/scoreboard
and /api/v1/scoreboard/top/[count]
cache.make_cache_key
because Flask-Caching is unable to cleanly determine the endpoint for Flask-Restplusdata-href
attribute it will become clickableDependencies
SQLAlchemy
to 1.3.3 for proper JSON columns in SQLiteWerkzeug==0.15.2
in requirements.txtserve.py --profile
Models
type
column which is used as a polymorphic identityTeams.captain_id
column to Teams tableAPI
/api/v1/scoreboard
and /api/v1/scoreboard/top/[count]
cache.make_cache_key
because Flask-Caching is unable to cleanly determine the endpoint for Flask-Restplus/api/v1/users?notify=true
to email user & password after creating new accountPlugins
CTFd.utils.security.passwords
deprecated and now available at CTFd.utils.crypto
script_root
to file downloads anymore as that will now be managed by the APIThemes
500.html
socket.io.min.js
from base.html
howler.js
to play notification soundsadmin
and core
themes have been de-duped
core
theme should now be considered free to use by other themesbase.html
and available in the CTFd.js
objectadmin/templates/modals/users/create.html
into admin/templates/modals/users/edit.html
Exports
Deployment
root
in Docker image
docker-compose
to store files/logs (/var/log/CTFd
, /var/uploads
)
gevent
SOCKETIO_ASYNC_MODE
configgevent
is now required to allow the Server Sent Events client polling code to work
wsgi.py
or gevent
gunicorn workers, there shouldn't be any issues/api/v1/scoreboard
and /api/v1/scoreboard/top/[count]
which is invalidated on new solves or every minuteConfiguration
SWAGGER_UI
setting to config.py to control the existence of the /api/v1/
Swagger UI documentationSOCKETIO_ASYNC_MODE
configSQLALCHEMY_DATABASE_URI
to DATABASE_URL
REVERSE_PROXY
configuration can be set to True
or to a comma seperated string of integers (e.g. 1,1,1,1,1
)
x_for=1, x_proto=1, x_host=1, x_port=1, x_prefix=1
specify 1,1,1,1,1
Tests
nosetests
to pytest
pycodestyle
to flake8
bandit
create_ctfd()
test helper to take app configuration as an argumentPublished by ColdHeat over 5 years ago
Security
General