-
Notifications
You must be signed in to change notification settings - Fork 273
Expand file tree
/
Copy pathdatabase.py
More file actions
373 lines (340 loc) · 14.9 KB
/
database.py
File metadata and controls
373 lines (340 loc) · 14.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
import os
import psycopg2
from psycopg2 import pool
from datetime import datetime
import time
# Vulnerable database configuration
# CWE-259: Use of Hard-coded Password
# CWE-798: Use of Hard-coded Credentials
DB_CONFIG = {
'dbname': os.getenv('DB_NAME', 'vulnerable_bank'),
'user': os.getenv('DB_USER', 'postgres'),
'password': os.getenv('DB_PASSWORD', 'postgres'), # Hardcoded password in default value
'host': os.getenv('DB_HOST', 'localhost'),
'port': os.getenv('DB_PORT', '5432')
}
# Create a connection pool
connection_pool = None
def init_connection_pool(min_connections=2, max_connections=30, max_retries=5, retry_delay=2):
"""
Initialize the database connection pool with retry mechanism
Vulnerability: No connection encryption enforced
"""
global connection_pool
if connection_pool is not None:
return connection_pool
retry_count = 0
while retry_count < max_retries:
try:
connection_pool = psycopg2.pool.ThreadedConnectionPool(
min_connections,
max_connections,
**DB_CONFIG
)
print("Database connection pool created successfully")
return connection_pool
except Exception as e:
retry_count += 1
print(f"Failed to connect to database (attempt {retry_count}/{max_retries}): {e}")
if retry_count < max_retries:
print(f"Retrying in {retry_delay} seconds...")
time.sleep(retry_delay)
else:
print("Max retries reached. Could not establish database connection.")
raise e
def check_database_connection():
conn = None
try:
conn = get_connection()
with conn.cursor() as cursor:
cursor.execute("SELECT 1")
cursor.fetchone()
return True
except Exception as e:
print(f"Database health check failed: {e}")
return False
finally:
if conn:
return_connection(conn)
def get_connection():
if not connection_pool:
raise Exception("Connection pool not initialized")
max_attempts = max(1, int(os.getenv('DB_POOL_CHECKOUT_ATTEMPTS', '3')))
retry_delay = float(os.getenv('DB_POOL_CHECKOUT_RETRY_DELAY', '0.2'))
for attempt in range(1, max_attempts + 1):
try:
return connection_pool.getconn()
except pool.PoolError as e:
if attempt >= max_attempts:
raise e
print(
"Database connection pool exhausted "
f"(attempt {attempt}/{max_attempts}); retrying in {retry_delay} seconds"
)
time.sleep(retry_delay)
def return_connection(connection):
if connection_pool:
connection_pool.putconn(connection)
def init_db():
"""
Initialize database tables
Multiple vulnerabilities present for learning purposes
"""
conn = get_connection()
try:
with conn.cursor() as cursor:
# Create users table
cursor.execute('''
CREATE TABLE IF NOT EXISTS users (
id SERIAL PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
password TEXT NOT NULL, -- Vulnerability: Passwords stored in plaintext
account_number TEXT NOT NULL UNIQUE,
balance DECIMAL(15, 2) DEFAULT 1000.0,
is_admin BOOLEAN DEFAULT FALSE,
profile_picture TEXT,
reset_pin TEXT, -- Vulnerability: Reset PINs stored in plaintext
bio TEXT, -- Vulnerability: Stored XSS - User bio without sanitization
is_suspended BOOLEAN DEFAULT FALSE
)
''')
# Migration: Add bio column if it doesn't exist (for existing databases)
try:
cursor.execute("ALTER TABLE users ADD COLUMN IF NOT EXISTS bio TEXT")
except Exception:
pass # Column already exists or error adding it
try:
cursor.execute("ALTER TABLE users ADD COLUMN IF NOT EXISTS is_suspended BOOLEAN DEFAULT FALSE")
except Exception:
pass # Column already exists or error adding it
# Create loans table
cursor.execute('''
CREATE TABLE IF NOT EXISTS loans (
id SERIAL PRIMARY KEY,
user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
amount DECIMAL(15, 2),
status TEXT DEFAULT 'pending'
)
''')
# Create transactions table
cursor.execute('''
CREATE TABLE IF NOT EXISTS transactions (
id SERIAL PRIMARY KEY,
from_account TEXT NOT NULL,
to_account TEXT NOT NULL,
amount DECIMAL(15, 2) NOT NULL,
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
transaction_type TEXT NOT NULL,
description TEXT
)
''')
# Create virtual cards table
cursor.execute('''
CREATE TABLE IF NOT EXISTS virtual_cards (
id SERIAL PRIMARY KEY,
user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
card_number TEXT NOT NULL UNIQUE, -- Vulnerability: Card numbers stored in plaintext
cvv TEXT NOT NULL, -- Vulnerability: CVV stored in plaintext
expiry_date TEXT NOT NULL,
card_limit NUMERIC(20, 8) DEFAULT 1000.0,
current_balance NUMERIC(20, 8) DEFAULT 0.0,
is_frozen BOOLEAN DEFAULT FALSE,
is_active BOOLEAN DEFAULT TRUE,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
last_used_at TIMESTAMP,
card_type TEXT DEFAULT 'standard', -- Vulnerability: No validation on card type
currency TEXT DEFAULT 'USD'
)
''')
# Create virtual card transactions table
cursor.execute('''
CREATE TABLE IF NOT EXISTS card_transactions (
id SERIAL PRIMARY KEY,
card_id INTEGER REFERENCES virtual_cards(id) ON DELETE CASCADE,
amount NUMERIC(20, 8) NOT NULL,
merchant_name TEXT, -- Vulnerability: No input validation
transaction_type TEXT NOT NULL,
status TEXT DEFAULT 'pending',
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
description TEXT
)
''')
# Create merchants table for public vulnerable payment APIs
cursor.execute('''
CREATE TABLE IF NOT EXISTS merchants (
id SERIAL PRIMARY KEY,
name TEXT NOT NULL,
email TEXT NOT NULL,
password TEXT NOT NULL, -- Vulnerability: Merchant passwords stored in plaintext
api_key TEXT NOT NULL, -- Vulnerability: API keys stored in plaintext
is_active BOOLEAN DEFAULT TRUE,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)
''')
# Create merchant payments table
cursor.execute('''
CREATE TABLE IF NOT EXISTS merchant_payments (
id SERIAL PRIMARY KEY,
merchant_id INTEGER REFERENCES merchants(id) ON DELETE CASCADE,
card_id INTEGER REFERENCES virtual_cards(id) ON DELETE SET NULL,
amount NUMERIC(20, 8) NOT NULL,
currency TEXT DEFAULT 'USD',
status TEXT DEFAULT 'pending',
merchant_order_id TEXT,
authorization_code TEXT,
failure_reason TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)
''')
seeded_merchants = [
('graphQL bookstore', 'bookstore@vulnbank.org', 'bookstore123', 'vk_fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71', True),
('PwnShop', 'pwnshop@vulnbank.org', 'pwnshop123', 'vk_b281bc2c616cb3c3a097215fdc9397ae87e6e06b156cc34e656be7a1a9ce8839', True)
]
for merchant in seeded_merchants:
cursor.execute("SELECT id FROM merchants WHERE email = %s", (merchant[1],))
if cursor.fetchone():
cursor.execute(
"""
UPDATE merchants
SET name = %s, password = %s, api_key = %s, is_active = %s
WHERE email = %s
""",
(merchant[0], merchant[2], merchant[3], merchant[4], merchant[1])
)
else:
cursor.execute(
"""
INSERT INTO merchants (name, email, password, api_key, is_active)
VALUES (%s, %s, %s, %s, %s)
""",
merchant
)
try:
cursor.execute("ALTER TABLE virtual_cards ADD COLUMN IF NOT EXISTS currency TEXT DEFAULT 'USD'")
except Exception:
pass
try:
cursor.execute("ALTER TABLE virtual_cards ALTER COLUMN card_limit TYPE NUMERIC(20, 8)")
cursor.execute("ALTER TABLE virtual_cards ALTER COLUMN current_balance TYPE NUMERIC(20, 8)")
cursor.execute("ALTER TABLE card_transactions ALTER COLUMN amount TYPE NUMERIC(20, 8)")
except Exception:
pass
# Create default admin account if it doesn't exist
cursor.execute("SELECT * FROM users WHERE username='admin'")
if not cursor.fetchone():
cursor.execute(
"""
INSERT INTO users (username, password, account_number, balance, is_admin)
VALUES (%s, %s, %s, %s, %s)
""",
('admin', 'admin123', 'ADMIN001', 1000000.0, True)
)
# Create bill categories table
cursor.execute('''
CREATE TABLE IF NOT EXISTS bill_categories (
id SERIAL PRIMARY KEY,
name TEXT NOT NULL UNIQUE,
description TEXT,
is_active BOOLEAN DEFAULT TRUE
)
''')
# Create billers table
cursor.execute('''
CREATE TABLE IF NOT EXISTS billers (
id SERIAL PRIMARY KEY,
category_id INTEGER REFERENCES bill_categories(id),
name TEXT NOT NULL,
account_number TEXT NOT NULL, -- Vulnerability: No encryption
description TEXT,
minimum_amount DECIMAL(15, 2) DEFAULT 0,
maximum_amount DECIMAL(15, 2), -- Vulnerability: No validation
is_active BOOLEAN DEFAULT TRUE
)
''')
# Create bill payments table
cursor.execute('''
CREATE TABLE IF NOT EXISTS bill_payments (
id SERIAL PRIMARY KEY,
user_id INTEGER REFERENCES users(id) ON DELETE CASCADE,
biller_id INTEGER REFERENCES billers(id),
amount DECIMAL(15, 2) NOT NULL,
payment_method TEXT NOT NULL, -- 'balance' or 'virtual_card'
card_id INTEGER REFERENCES virtual_cards(id), -- NULL if paid with balance
reference_number TEXT, -- Vulnerability: No unique constraint
status TEXT DEFAULT 'pending',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
processed_at TIMESTAMP,
description TEXT
)
''')
# Insert default bill categories
cursor.execute("""
INSERT INTO bill_categories (name, description)
VALUES
('Utilities', 'Water, Electricity, Gas bills'),
('Telecommunications', 'Phone, Internet, Cable TV'),
('Insurance', 'Life, Health, Auto insurance'),
('Credit Cards', 'Credit card bill payments')
ON CONFLICT (name) DO NOTHING
""")
# Insert sample billers
cursor.execute("""
INSERT INTO billers (category_id, name, account_number, description, minimum_amount)
VALUES
(1, 'City Water', 'WATER001', 'City Water Utility', 10),
(1, 'PowerGen Electric', 'POWER001', 'Electricity Provider', 20),
(2, 'TeleCom Services', 'TEL001', 'Phone and Internet', 25),
(2, 'CableTV Plus', 'CABLE001', 'Cable TV Services', 30),
(3, 'HealthFirst Insurance', 'INS001', 'Health Insurance', 100),
(4, 'Universal Bank Card', 'CC001', 'Credit Card Payments', 50)
ON CONFLICT DO NOTHING
""")
conn.commit()
print("Database initialized successfully")
except Exception as e:
# Vulnerability: Detailed error information exposed
print(f"Error initializing database: {e}")
conn.rollback()
raise e
finally:
return_connection(conn)
def execute_query(query, params=None, fetch=True):
"""
Execute a database query
Vulnerability: This function still allows for SQL injection if called with string formatting
"""
conn = get_connection()
try:
with conn.cursor() as cursor:
cursor.execute(query, params)
result = None
if fetch:
result = cursor.fetchall()
# Always commit for INSERT, UPDATE, DELETE operations
if query.strip().upper().startswith(('INSERT', 'UPDATE', 'DELETE')):
conn.commit()
return result
except Exception as e:
# Vulnerability: Error details might be exposed to users
conn.rollback()
raise e
finally:
return_connection(conn)
def execute_transaction(queries_and_params):
"""
Execute multiple queries in a transaction
Vulnerability: No input validation on queries
queries_and_params: list of tuples (query, params)
"""
conn = get_connection()
try:
with conn.cursor() as cursor:
for query, params in queries_and_params:
cursor.execute(query, params)
conn.commit()
except Exception as e:
# Vulnerability: Transaction rollback exposed
conn.rollback()
raise e
finally:
return_connection(conn)