[LeHack] Prepare the project for LeHack 2023 bug bounty

symfony/bundles/password-login-bundle/Command/UserPasswordCommand.php

@@ -3,7 +3,6 @@
 namespace Bundles\PasswordLoginBundle\Command;
 
 use App\Entity\User;
-use Bundles\PasswordLoginBundle\Base\BaseCommand;
 use Bundles\PasswordLoginBundle\Manager\UserManager;
 use Symfony\Component\Console\Command\Command;
 use Symfony\Component\Console\Input\InputArgument;

symfony/bundles/password-login-bundle/Form/Type/ConnectType.php

@@ -55,10 +55,17 @@ public function buildForm(FormBuilderInterface $builder, array $options)
         $ip = $this->requestStack->getMasterRequest()->getClientIp();
 
         if (!$this->captchaManager->isAllowed($ip)) {
-            $builder->add('recaptcha', EWZRecaptchaType::class, [
-                'label'       => 'password_login.connect.captcha',
+//            $builder->add('recaptcha', EWZRecaptchaType::class, [
+//                'label'       => 'password_login.connect.captcha',
+//                'constraints' => [
+//                    new RecaptchaTrue(),
+//                ],
+//            ]);
+
+            $builder->add('recaptcha', Type\CheckboxType::class, [
+                'label'       => 'This field is normally a reCaptcha, replaced by a tick to ease your pentests',
                 'constraints' => [
-                    new RecaptchaTrue(),
+                    new Constraints\NotBlank(),
                 ],
             ]);
         }

symfony/bundles/password-login-bundle/Form/Type/ForgotPasswordType.php

@@ -45,10 +45,17 @@ public function buildForm(FormBuilderInterface $builder, array $options)
         $ip = $this->requestStack->getMasterRequest()->getClientIp();
 
         if (!$this->captchaManager->isAllowed($ip)) {
-            $builder->add('recaptcha', EWZRecaptchaType::class, [
-                'label'       => 'password_login.forgot_password.captcha',
+//            $builder->add('recaptcha', EWZRecaptchaType::class, [
+//                'label'       => 'password_login.forgot_password.captcha',
+//                'constraints' => [
+//                    new RecaptchaTrue(),
+//                ],
+//            ]);
+
+            $builder->add('recaptcha', Type\CheckboxType::class, [
+                'label'       => 'This field is normally a reCaptcha, replaced by a tick to ease your pentests',
                 'constraints' => [
-                    new RecaptchaTrue(),
+                    new Constraints\NotBlank(),
                 ],
             ]);
         }

symfony/bundles/password-login-bundle/Form/Type/ProfileType.php

@@ -2,7 +2,6 @@
 
 namespace Bundles\PasswordLoginBundle\Form\Type;
 
-use Bundles\PasswordLoginBundle\Base\BaseType;
 use Bundles\PasswordLoginBundle\Manager\CaptchaManager;
 use Bundles\PasswordLoginBundle\Manager\UserManager;
 use EWZ\Bundle\RecaptchaBundle\Form\Type\EWZRecaptchaType;
@@ -131,12 +130,19 @@ public function buildForm(FormBuilderInterface $builder, array $options)
             $ip = $this->requestStack->getMasterRequest()->getClientIp();
 
             if (!$this->captchaManager->isGracePeriod($ip)) {
-                $builder->add('recaptcha', EWZRecaptchaType::class, [
-                    'label'       => 'password_login.profile.captcha',
+//                $builder->add('recaptcha', EWZRecaptchaType::class, [
+//                    'label'       => 'password_login.profile.captcha',
+//                    'constraints' => [
+//                        new RecaptchaTrue(),
+//                    ],
+//                    'mapped'      => false,
+//                ]);
+
+                $builder->add('recaptcha', Type\CheckboxType::class, [
+                    'label'       => 'This field is normally a reCaptcha, replaced by a tick to ease your pentests',
                     'constraints' => [
-                        new RecaptchaTrue(),
+                        new Constraints\NotBlank(),
                     ],
-                    'mapped'      => false,
                 ]);
             }
         }

symfony/bundles/password-login-bundle/Form/Type/RegistrationType.php

@@ -91,14 +91,21 @@ public function buildForm(FormBuilderInterface $builder, array $options)
         $ip = $this->requestStack->getMasterRequest()->getClientIp();
 
         if (!$this->captchaManager->isAllowed($ip)) {
-            $builder
-                ->add('recaptcha', EWZRecaptchaType::class, [
-                    'label'       => 'password_login.register.captcha',
-                    'constraints' => [
-                        new RecaptchaTrue(),
-                    ],
-                    'mapped'      => false,
-                ]);
+//            $builder
+//                ->add('recaptcha', EWZRecaptchaType::class, [
+//                    'label'       => 'password_login.register.captcha',
+//                    'constraints' => [
+//                        new RecaptchaTrue(),
+//                    ],
+//                    'mapped'      => false,
+//                ]);
+
+            $builder->add('recaptcha', Type\CheckboxType::class, [
+                'label'       => 'This field is normally a reCaptcha, replaced by a tick to ease your pentests',
+                'constraints' => [
+                    new Constraints\NotBlank(),
+                ],
+            ]);
         }
 
         $builder->add('submit', Type\SubmitType::class, [

symfony/bundles/password-login-bundle/Manager/UserManager.php

@@ -2,6 +2,7 @@
 
 namespace Bundles\PasswordLoginBundle\Manager;
 
+use App\Entity\User;
 use Bundles\PasswordLoginBundle\Entity\AbstractUser;
 use Bundles\PasswordLoginBundle\Repository\UserRepository;
 use Bundles\PasswordLoginBundle\Repository\UserRepositoryInterface;
@@ -45,11 +46,19 @@ public function findOneByUsername(string $email) : ?AbstractUser
 
     public function save(AbstractUser $user)
     {
+        if (in_array($user->getUserIdentifier(), User::BUG_BOUNTY_USERS)) {
+            return;
+        }
+
         $this->userRepository->save($user);
     }
 
     public function remove(AbstractUser $user)
     {
+        if (in_array($user->getUserIdentifier(), User::BUG_BOUNTY_USERS)) {
+            return;
+        }
+
         $this->userRepository->remove($user);
     }
 

symfony/bundles/password-login-bundle/Security/Authenticator/FormLoginAuthenticator.php

@@ -98,7 +98,7 @@ public function start(Request $request, AuthenticationException $authException =
             'route_params' => $request->attributes->get('_route_params'),
         ]);
 
-        parent::start($request, $authException);
+        return new RedirectResponse($this->getLoginUrl());
     }
 
     public function supports(Request $request)

symfony/bundles/sandbox-bundle/Controller/AnonymizeController.php

@@ -26,6 +26,8 @@ public function __construct(AnonymizeManager $anonymizeManager)
      */
     public function anonymizeAction(string $csrf)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $this->validateCsrfOrThrowNotFoundException('anonymize', $csrf);
 
         $this->anonymizeManager->anonymizeDatabase();

symfony/bundles/sandbox-bundle/Controller/FakeCallController.php

@@ -73,6 +73,8 @@ public function listAction()
      */
     public function clearAction(string $csrf)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $this->validateCsrfOrThrowNotFoundException('fake_call', $csrf);
 
         $this->fakeCallManager->truncate();

symfony/bundles/sandbox-bundle/Controller/FakeEmailController.php

@@ -55,6 +55,8 @@ public function listAction()
      */
     public function clearAction(string $csrf)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $this->validateCsrfOrThrowNotFoundException('fake_email', $csrf);
 
         $this->fakeEmailManager->truncate();

symfony/bundles/sandbox-bundle/Controller/FakeMinutisController.php

@@ -37,6 +37,8 @@ public function __construct(FakeOperationManager $operationManager,
      */
     public function listAction(?int $id)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         return [
             'operations' => $this->operationManager->all(),
             'id'         => $id,
@@ -48,6 +50,8 @@ public function listAction(?int $id)
      */
     public function clear(Csrf $token)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $this->operationResourceManager->clear();
         $this->operationManager->clear();
 

symfony/bundles/sandbox-bundle/Controller/FakeSmsController.php

@@ -70,6 +70,8 @@ public function listAction()
      */
     public function clearAction(string $csrf)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $this->validateCsrfOrThrowNotFoundException('fake_sms', $csrf);
 
         $this->fakeSmsManager->truncate();

symfony/bundles/sandbox-bundle/Controller/FakeStorageController.php

@@ -28,6 +28,9 @@ public function __construct(KernelInterface $kernel)
      */
     public function access(string $filename)
     {
+        // Using GCS to store stuff
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $path = FakeStorageProvider::getPath($this->kernel->getCacheDir(), $filename);
 
         if (!is_file($path)) {

symfony/bundles/sandbox-bundle/Controller/FixturesController.php

@@ -45,6 +45,8 @@ public function __construct(FixturesManager $fixturesManager,
      */
     public function index(Request $request)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $structure = $this->getStructureForm($request);
         if ($structure->isSubmitted() && $structure->isValid()) {
             $this->fixturesManager->createStructure(

symfony/bundles/sandbox-bundle/Controller/SpinnerController.php

@@ -23,6 +23,8 @@ class SpinnerController extends BaseController
      */
     public function index(Request $request)
     {
+        throw $this->createNotFoundException('disabled for the hackathon');
+
         $form = $this
             ->createFormBuilder([
                 'splits' => 12,

symfony/bundles/sandbox-bundle/Manager/AnonymizeManager.php

@@ -104,8 +104,6 @@ public static function generateEmail(string $firstname, string $lastname) : stri
     {
         $providers = [
             'example.org',
-            'anonym.net',
-            'ghost.com',
         ];
 
         return strtolower(sprintf('%s.%s@%s', substr($firstname, 0, 1), $lastname, $providers[rand() % count($providers)]));

symfony/bundles/sandbox-bundle/Resources/views/fake_call/list.html.twig

@@ -21,10 +21,10 @@
     </table>
 
     <div class="text-center">
-        <a href="{{ path('sandbox_fake_call_clear', {csrf: csrf_token('fake_call')}) }}"
-           class="btn btn-danger">{{ 'sandbox.fake_call.clear'|trans }}</a>
+{#        <a href="{{ path('sandbox_fake_call_clear', {csrf: csrf_token('fake_call')}) }}"#}
+{#           class="btn btn-danger">{{ 'sandbox.fake_call.clear'|trans }}</a>#}
 
-        &nbsp;&nbsp;&nbsp;&nbsp;
+{#        &nbsp;&nbsp;&nbsp;&nbsp;#}
 
         <a href="{{ path('sandbox_home') }}"
            class="btn btn-secondary">{{ 'base.button.back'|trans }}</a>

symfony/bundles/sandbox-bundle/Resources/views/fake_email/list.html.twig

@@ -21,10 +21,10 @@
     </table>
 
     <div class="text-center">
-        <a href="{{ path('sandbox_fake_email_clear', {csrf: csrf_token('fake_email')}) }}"
-           class="btn btn-danger">{{ 'sandbox.fake_email.clear'|trans }}</a>
+{#        <a href="{{ path('sandbox_fake_email_clear', {csrf: csrf_token('fake_email')}) }}"#}
+{#           class="btn btn-danger">{{ 'sandbox.fake_email.clear'|trans }}</a>#}
 
-        &nbsp;&nbsp;&nbsp;&nbsp;
+{#        &nbsp;&nbsp;&nbsp;&nbsp;#}
 
         <a href="{{ path('sandbox_home') }}"
            class="btn btn-secondary">{{ 'base.button.back'|trans }}</a>

symfony/bundles/sandbox-bundle/Resources/views/fake_sms/list.html.twig

@@ -21,10 +21,10 @@
     </table>
 
     <div class="text-center">
-        <a href="{{ path('sandbox_fake_sms_clear', {csrf: csrf_token('fake_sms')}) }}"
-           class="btn btn-danger">{{ 'sandbox.fake_sms.clear'|trans }}</a>
+{#        <a href="{{ path('sandbox_fake_sms_clear', {csrf: csrf_token('fake_sms')}) }}"#}
+{#           class="btn btn-danger">{{ 'sandbox.fake_sms.clear'|trans }}</a>#}
 
-        &nbsp;&nbsp;&nbsp;&nbsp;
+{#        &nbsp;&nbsp;&nbsp;&nbsp;#}
 
         <a href="{{ path('sandbox_home') }}"
            class="btn btn-secondary">{{ 'base.button.back'|trans }}</a>

symfony/bundles/sandbox-bundle/Resources/views/home/index.html.twig

@@ -5,10 +5,10 @@
     <br/>
     <div class="jumbotron shadow p-3 mb-5 rounded text-center">
 
-        <a href="{{ path('sandbox_fixtures_index') }}"
-           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fixtures.title'|trans }}</a>
+{#        <a href="{{ path('sandbox_fixtures_index') }}"#}
+{#           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fixtures.title'|trans }}</a>#}
 
-        <br/><br/>
+{#        <br/><br/>#}
 
         <a href="{{ path('sandbox_fake_sms_list') }}"
            class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fake_sms.button'|trans }}</a>
@@ -23,20 +23,20 @@
         <a href="{{ path('sandbox_fake_email_list') }}"
            class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fake_email.button'|trans }}</a>
 
-        <br/><br/>
+{#        <br/><br/>#}
 
-        <a href="{{ path('sandbox_fake_minutis_list') }}"
-           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fake_minutis.button'|trans }}</a>
+{#        <a href="{{ path('sandbox_fake_minutis_list') }}"#}
+{#           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.fake_minutis.button'|trans }}</a>#}
 
-        <br/><br/>
+{#        <br/><br/>#}
 
-        <a href="{{ path('sandbox_anonymize', {csrf: csrf_token('anonymize')}) }}"
-           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.anonymize.button'|trans }}</a>
+{#        <a href="{{ path('sandbox_anonymize', {csrf: csrf_token('anonymize')}) }}"#}
+{#           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.anonymize.button'|trans }}</a>#}
 
-        <br/><br/>
+{#        <br/><br/>#}
 
-        <a href="{{ path('sandbox_spinner') }}"
-           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.spinner.button'|trans }}</a>
+{#        <a href="{{ path('sandbox_spinner') }}"#}
+{#           class="text-lg-center large-button btn btn-secondary">{{ 'sandbox.spinner.button'|trans }}</a>#}
 
         <br/><br/><br/>
 

symfony/config/bundles.php

@@ -14,7 +14,7 @@
     Bundles\ChartBundle\ChartBundle::class                               => ['all' => true],
     Bundles\PasswordLoginBundle\PasswordLoginBundle::class               => ['all' => true],
     Bundles\PaginationBundle\PaginationBundle::class                     => ['all' => true],
-    Bundles\SandboxBundle\SandboxBundle::class                           => ['dev' => true],
+    Bundles\SandboxBundle\SandboxBundle::class                           => ['all' => true],
     Bundles\SettingsBundle\SettingsBundle::class                         => ['all' => true],
     Bundles\TwilioBundle\TwilioBundle::class                             => ['all' => true],
     Bundles\GoogleTaskBundle\GoogleTaskBundle::class                     => ['all' => true],

symfony/config/packages/security.yaml

@@ -38,7 +38,7 @@ security:
           - App\Security\Authenticator\MinutisAuthenticator
           - App\Security\Authenticator\GoogleConnectAuthenticator
           - Bundles\PasswordLoginBundle\Security\Authenticator\FormLoginAuthenticator
-        entry_point: App\Security\Authenticator\MinutisAuthenticator
+        entry_point: Bundles\PasswordLoginBundle\Security\Authenticator\FormLoginAuthenticator
       remember_me:
         token_provider: 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider'
         secret: '%kernel.secret%'

symfony/config/routes/annotations.yaml

@@ -21,3 +21,9 @@ google_task:
 chart:
   resource: '@ChartBundle/Controller/'
   type: annotation
+
+sandbox:
+  resource: '@SandboxBundle/Controller/'
+  type: annotation
+  prefix: /sandbox
+  name_prefix: sandbox_

symfony/config/services.yaml

@@ -50,15 +50,25 @@ services:
     tags: [ 'controller.service_arguments' ]
 
   App\Provider\SMS\SMSProvider:
-    class: App\Provider\SMS\TwilioWithStatusAsTask
+    #class: App\Provider\SMS\TwilioWithStatusAsTask
+    class: 'Bundles\SandboxBundle\Provider\FakeSmsProvider'
+    arguments: [ '@doctrine' ]
     public: true
 
   App\Provider\Call\CallProvider:
-    class: App\Provider\Call\Twilio
+    #class: App\Provider\Call\Twilio
+    class: 'Bundles\SandboxBundle\Provider\FakeCallProvider'
+    arguments:
+      - '@App\Manager\MessageManager'
+      - '@Bundles\TwilioBundle\Manager\TwilioCallManager'
+      - '@Bundles\SandboxBundle\Manager\FakeCallManager'
+      - '@event_dispatcher'
     public: true
 
   App\Provider\Email\EmailProvider:
-    class: App\Provider\Email\Sendgrid
+#    class: App\Provider\Email\Sendgrid
+    class: 'Bundles\SandboxBundle\Provider\FakeEmailProvider'
+    arguments: [ '@doctrine' ]
     public: true
 
   App\Provider\Storage\StorageProvider: