Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Command injection Lab #4504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DonnieBLT merged 4 commits into from
Aug 22, 2025
Merged

Command injection Lab #4504

DonnieBLT merged 4 commits into from
Aug 22, 2025

Conversation

@igennova
Copy link
Contributor

@igennova igennova commented Aug 21, 2025
edited by coderabbitai bot
Loading

Fixes: #4493

Summary by CodeRabbit

  • New Features

    • Added a Command Injection lab with eight tasks combining theory and simulations (understanding, types, basic, pipes, blind, prevention, advanced, web shells).
    • Task detail page now shows a tailored “Enter your command injection payload” label and a dedicated textarea with a helpful placeholder for this lab; other labs' behavior is unchanged.

  • Style

    • Minor comment formatting tweak with no user-visible impact.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Aug 21, 2025
edited
Loading

Walkthrough

Adds a Django management command that idempotently creates/updates a "Command Injection" lab with eight tasks and TaskContent records; adds a command-injection-specific payload label and textarea to task_detail; makes a whitespace-only comment edit in Simulation.html.

Changes

Cohort / File(s) Summary
Management command: create Command Injection lab and tasks
website/management/commands/create_commands_injection_tasks.py		 New Django management command that get_or_create's a "Command Injection" Lab and update_or_create's eight ordered Tasks and corresponding TaskContent records (theory fields or simulation_config). Prints created/updated status and calls lab total-task update if available.
Template: payload input for Command Injection
website/templates/task_detail.html		 Adds conditional label text and a dedicated textarea (id="payload", name="payload", example placeholder) when lab.name == "Command Injection". Leaves other lab cases unchanged.
Minor UI comment change
website/templates/Simulation.html		 Whitespace-only change inside an HTML comment; no behavioral change.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as Management Command
    participant DB as Database (Lab, Task, TaskContent)
    CLI->>DB: get_or_create Lab "Command Injection"
    alt Lab created
        DB-->>CLI: new Lab
    else Lab exists
        DB-->>CLI: existing Lab
    end
    loop for each task (1..8)
        CLI->>DB: update_or_create Task (lab, order) -> set metadata
        CLI->>DB: update_or_create TaskContent -> set theory OR simulation_config
        DB-->>CLI: Task/TaskContent created or updated
    end
    CLI->>DB: call Lab.update_total_tasks() if present
    DB-->>CLI: confirmation
    note right of CLI: CLI prints per-item created/updated counts
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Assessment against linked issues

Objective Addressed Explanation
Create and populate Command Injection Lab with tasks and content (#4493)
Add UI payload input support for Command Injection tasks (#4493)
Preserve existing behavior for other labs (SQLi, XSS, CSRF) (#4493)

Out-of-scope changes

Code Change Explanation
Whitespace-only comment edit in website/templates/Simulation.html Purely cosmetic HTML comment whitespace change; unrelated to #4493 objectives.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 492aea8 and 8b4db9d.

📒 Files selected for processing (1)
  • website/templates/Simulation.html (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • website/templates/Simulation.html
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Run Tests
  • GitHub Check: docker-test
✨ Finishing Touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

  • Visit our Status Page to check the current availability of CodeRabbit.
  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Aug 21, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
website/templates/task_detail.html (1)

126-144: Fix unreachable nested conditions and restore CSRF-specific UI label/placeholder

The inner {% if/elif %} chain inside the SQL Injection branch is unreachable for non-SQL labs, causing the CSRF-specific label/placeholder never to render. This is a regression and will show the generic label for CSRF instead of the intended “Enter your CSRF attack code:”.

Simplify the SQL branch and add a dedicated CSRF branch alongside XSS/Command Injection to remove duplication and make behavior correct/predictable.

Apply this diff:

 {% if lab.name == "SQL Injection" %}
-    <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">
-        {% if lab.name == "SQL Injection" %}
-            Enter your SQL injection payload:
-        {% elif lab.name == "Cross-Site Scripting (XSS)" %}
-            Enter your XSS payload:
-        {% elif lab.name == "Cross-Site Request Forgery" %}
-            Enter your CSRF attack code:
-        {% elif lab.name == "Command Injection" %}
-            Enter your command injection payload:
-        {% else %}
-            Enter your payload:
-        {% endif %}
-    </label>
+    <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your SQL injection payload:</label>
     <textarea id="payload"
               name="payload"
               rows="4"
               class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-              placeholder="{% if lab.name == 'SQL Injection' %}Enter your SQL injection payload here...{% elif lab.name == 'Cross-Site Scripting (XSS)' %}Enter your XSS payload here...{% elif lab.name == 'Cross-Site Request Forgery' %}Enter your CSRF attack code here...{% else %}Enter your payload here...{% endif %}"></textarea>
+              placeholder="Enter your SQL injection payload here... (e.g., ' OR 1=1--)"></textarea>
 {% elif lab.name == "Cross-Site Scripting (XSS)" %}
     <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your XSS payload:</label>
     <textarea id="payload"
               name="payload"
               rows="4"
               class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
               placeholder="Enter your XSS payload here... (e.g., &lt;script&gt;alert('XSS')&lt;/script&gt;)"></textarea>
+{% elif lab.name == "Cross-Site Request Forgery" %}
+    <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your CSRF attack code:</label>
+    <textarea id="payload"
+              name="payload"
+              rows="4"
+              class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
+              placeholder="Enter your CSRF attack code here..."></textarea>
🧹 Nitpick comments (4)
website/templates/task_detail.html (1)

152-158: Minor UX: make payload textarea monospaced and disable autocorrect

Payloads are code-like; a monospace font reduces errors and improves readability. Disabling autocorrect/capitalization/spellcheck avoids unintended mutations on mobile.

Apply this diff:

-    <textarea id="payload"
+    <textarea id="payload"
               name="payload"
               rows="4"
-              class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-              placeholder="Enter your command injection payload here... (e.g., 127.0.0.1; ls)"></textarea>
+              class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3 font-mono"
+              spellcheck="false" autocapitalize="off" inputmode="text"
+              placeholder="Enter your command injection payload here... (e.g., 127.0.0.1; ls)"></textarea>
website/management/commands/create_commands_injection_tasks.py (3)

1-1: Make the management command atomic to avoid partial updates

If an exception occurs midway (e.g., while creating content for task 5), you’ll end up with a partially-seeded lab. Wrap handle in a transaction.

Apply this diff:

 from django.core.management.base import BaseCommand
+from django.db import transaction
@@
-class Command(BaseCommand):
+class Command(BaseCommand):
     help = "Create Command Injection lab tasks"
 
-    def handle(self, *args, **options):
+    @transaction.atomic
+    def handle(self, *args, **options):

10-23: Ensure existing Lab metadata is updated on reruns

Currently, when the lab already exists, description/difficulty/is_active aren’t updated. This can leave stale data if content evolves. Update fields when created is False.

Apply this diff:

-        command_injection_lab, created = Labs.objects.get_or_create(
-            name="Command Injection",
-            defaults={
-                "description": "Learn about command injection vulnerabilities and how to exploit them",
-                "difficulty": "Intermediate",
-                "is_active": True,
-            },
-        )
+        lab_defaults = {
+            "description": "Learn about command injection vulnerabilities and how to exploit them",
+            "difficulty": "Intermediate",
+            "is_active": True,
+        }
+        command_injection_lab, created = Labs.objects.get_or_create(
+            name="Command Injection",
+            defaults=lab_defaults,
+        )
@@
-        else:
-            self.stdout.write(self.style.WARNING(f"Lab already exists: {command_injection_lab.name}"))
+        else:
+            # Keep lab metadata in sync across reruns
+            for field, value in lab_defaults.items():
+                setattr(command_injection_lab, field, value)
+            command_injection_lab.save(update_fields=list(lab_defaults.keys()))
+            self.stdout.write(self.style.WARNING(f"Lab already exists (updated): {command_injection_lab.name}"))

215-219: Fallback if update_total_tasks is absent

You already guard with hasattr. For completeness, consider a fallback to set lab.total_tasks = Tasks.objects.filter(lab=lab, is_active=True).count() to keep counts consistent even if the method is missing.

Here’s a minimal, guarded fallback:

-        if hasattr(command_injection_lab, "update_total_tasks"):
-            command_injection_lab.update_total_tasks()
+        if hasattr(command_injection_lab, "update_total_tasks"):
+            command_injection_lab.update_total_tasks()
+        else:
+            try:
+                total = Tasks.objects.filter(lab=command_injection_lab, is_active=True).count()
+                setattr(command_injection_lab, "total_tasks", total)
+                command_injection_lab.save(update_fields=["total_tasks"])
+            except Exception:
+                # Silently ignore if the field does not exist
+                pass
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 061eb94 and f27d745.

📒 Files selected for processing (2)
  • website/management/commands/create_commands_injection_tasks.py (1 hunks)
  • website/templates/task_detail.html (2 hunks)
🔇 Additional comments (4)
website/management/commands/create_commands_injection_tasks.py (4)

24-169: Content structure and idempotency look good

The tasks_data design is clear, and using update_or_create per (lab, order) ensures idempotent runs. The MCQ options align with the template’s option.0 usage and correct_answer values (“A”, “B”, etc.). Nicely done.

171-214: Good use of update_or_create for tasks and content

The idempotent pattern across tasks and their content reduces operational footguns when re-running the command. Clear console messages also help during seeding.

193-195: TaskContent.mcq_options correctly uses JSONField

The mcq_options field on TaskContent is already defined as

mcq_options = models.JSONField(default=list, blank=True)

which natively supports storing Python lists. No changes are required.

141-145: Action Required: Verify Shell Execution Context for Simulation Tasks

I did not find any invocation of subprocess.run (or similar) with shell=True, nor any use of os.system or shlex in the repository. This suggests that command‐injection simulation tasks may not be executed in a POSIX shell environment—and therefore constructs like ${IFS} and && would not be interpreted.

• Please locate and review the simulation engine’s execution logic to confirm whether it invokes a real shell (e.g. with shell=True).
• If it does not, either update the engine to support these shell features or adjust the success payloads to avoid relying on ${IFS} parameter expansion and shell‐specific operators (e.g. use simple separators or multiple payloads).

coderabbitai[bot]
coderabbitai bot previously approved these changes Aug 21, 2025
View reviewed changes
coderabbitai[bot]
coderabbitai bot previously approved these changes Aug 21, 2025
View reviewed changes
DonnieBLT
DonnieBLT previously approved these changes Aug 21, 2025
View reviewed changes
@igennova igennova requested a review from DonnieBLT August 22, 2025 13:52
@DonnieBLT DonnieBLT added this pull request to the merge queue Aug 22, 2025
Merged via the queue into OWASP-BLT:main with commit 8dd528a Aug 22, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DonnieBLT DonnieBLT DonnieBLT approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Command Injection Lab

2 participants

@igennova @DonnieBLT