* fixed cleanup

* secured path traversal
* added hint for stegano vuln

Author: White4Shadow

checker/src/checker.py

@@ -162,7 +162,7 @@ async def upload_image(self, token, flag):
         try:
             process = await asyncio.create_subprocess_exec(
                 "steghide", "embed",
-                "-cf", "goblin.jpg",
+                "-cf", "stegano.jpg",
                 "-ef", flagfile_path,
                 "-sf", steghide_img_path,
                 "-p", "",
@@ -177,7 +177,7 @@ async def upload_image(self, token, flag):
                 raise MumbleException(f"Steghide failed: {error_message}")
 
             async with aiofiles.open(steghide_img_path, "rb") as f:
-                files = {"file": ("goblin.jpg", await f.read(), "image/jpeg")}
+                files = {"file": ("stegano.jpg", await f.read(), "image/jpeg")}
                 resp = await self.client.post(
                     "/images/upload",
                     files=files,
@@ -688,7 +688,7 @@ async def exploit_image(
     con = Connection(logger, client)
     username = rand_str(8)
     password = "CascwTdwsaj"
-    filename = f"%2e%2e/{task.attack_info}/goblin.jpg"
+    filename = f"%2e%2e/{task.attack_info}/stegano.jpg"
     try:
         token = await con.register_and_login(username, password)
         flag = rand_str(32)

checker/src/goblin.jpg

@@ -110,7 +110,7 @@ async def get_dungeons(db: AsyncSession, skip: int = 0, limit: int = 100):
     )
     return result.scalars().all()
 
-async def record_completed_dungeon(db: AsyncSession, user_id: int, dungeon_id: int):
+async def record_completed_dungeon(db, user_id: int, dungeon_id: int):
     result = await db.execute(
         select(models.CompletedDungeon).where(
             models.CompletedDungeon.user_id == user_id,
@@ -119,7 +119,7 @@ async def record_completed_dungeon(db: AsyncSession, user_id: int, dungeon_id: i
     )
     db_completed_dungeon = result.scalar_one_or_none()
 
-    now = datetime.datetime.now().isoformat()
+    now = datetime.datetime.utcnow()  # Use UTC for consistency
 
     if db_completed_dungeon:
         db_completed_dungeon.completion_timestamp = now

checker/src/stegano.jpg

@@ -5,26 +5,23 @@
 
 DATABASE_URL = "postgresql+asyncpg://backend:backend@backend-db:5432/backenddb"
 
-# Async Engine & Session
 engine = create_async_engine(
     DATABASE_URL,
     echo=True,
-    pool_size=10,         # this is important
-    max_overflow=20,      # and this too
+    pool_size=10,
+    max_overflow=20,
 )
 async_session = async_sessionmaker(engine, expire_on_commit=False, class_=AsyncSession)
 
 Base = declarative_base()
 
-# Dependency for FastAPI (yield!)
 async def get_async_db():
     async with async_session() as session:
         try:
             yield session
         finally:
             await session.close()
 
-# (OPTIONAL) Table creation for Startup
 async def init_db():
     async with engine.begin() as conn:
         await conn.run_sync(Base.metadata.create_all)

service/backend/crud.py

@@ -36,7 +36,6 @@
 
 @asynccontextmanager
 async def lifespan(app: FastAPI):
-    # Init DB tables
     async with engine.begin() as conn:
         await conn.run_sync(models.Base.metadata.create_all)
 
@@ -59,6 +58,10 @@ async def lifespan(app: FastAPI):
                 name="Demon Tower",
                 description="The legendary Demon. Hard challenge.",
                 required_power=7500, xp_reward=500, image_name="demon.png", owner="all"))
+            await crud.create_dungeon(db, schemas.DungeonCreate(
+                name="Boss St. Egano",
+                description="The legendary Boss. Ultimate challenge.",
+                required_power=99999, xp_reward=9999, image_name="stegano.jpg", owner="all"))
             print("Initial dungeons created.")
         else:
             print("Dungeons already exist, skipping initial creation.")
@@ -70,7 +73,6 @@ async def lifespan(app: FastAPI):
     try:
         yield
     finally:
-        # Optional: Task canceln (wenn du willst)
         task.cancel()
 
 
@@ -136,11 +138,8 @@ async def register(user: schemas.UserCreate, db=Depends(get_async_db)):
     if db_user:
         raise HTTPException(status_code=400, detail="Username (or Variation of it) is already taken!")
     try:
-        # 1. User anlegen
         user_obj = await crud.create_user(db=db, user=user, username_key=normalform)
-        # 2. User mit allen Items-Relationen nochmal laden (joinedload in crud!)
         user_full = await crud.get_user_by_username(db, user_obj.username)
-        # 3. Jetzt das User-Objekt zurückgeben – Items sind garantiert geladen!
         return user_full
     except ValueError as e:
         raise HTTPException(status_code=400, detail=str(e))
@@ -172,7 +171,6 @@ async def read_users_me(token: str = Depends(oauth2_scheme), db=Depends(get_asyn
         user = result.unique().scalar_one_or_none()
         if not user:
             raise HTTPException(status_code=401, detail="User not found")
-        # <<< HIER: Power mit Items summieren wie im Leaderboard!
         item_power = sum(item.bonus for item in user.items)
         user.power = user.power + item_power
         return user
@@ -187,7 +185,7 @@ async def create_item_for_user(item: schemas.ItemCreate, token: str = Depends(oa
         raise HTTPException(status_code=401, detail="Invalid credentials")
     return await crud.create_item_for_user(db=db, item=item, user_id=user.id)
 
-@app.get("/users/", response_model=List[schemas.User])  # you can make a lighter schema for listing if needed
+@app.get("/users/", response_model=List[schemas.User])
 async def read_users(
         db=Depends(get_async_db),
         limit: int = 10,
@@ -593,16 +591,38 @@ async def cleanup_old_records():
     user upload folders asynchronously.
     """
     while True:
-        await asyncio.sleep(240)
+        await asyncio.sleep(30)
         db_gen = get_async_db()
         db = await anext(db_gen)
         try:
-            ten_minutes_ago = datetime.utcnow() - timedelta(minutes=10)
+            ten_minutes_ago = datetime.utcnow() - timedelta(minutes=1)
 
             users_to_delete_query = await db.execute(
-                select(models.User.username).where(models.User.created_at < ten_minutes_ago)
+                select(models.User.id, models.User.username).where(models.User.created_at < ten_minutes_ago)
             )
-            deleted_usernames = [u[0] for u in users_to_delete_query.all()]
+            deleted_users = users_to_delete_query.all()
+            deleted_user_ids = [u[0] for u in deleted_users]
+            deleted_usernames = [u[1] for u in deleted_users]
+
+            if deleted_user_ids:
+                await db.execute(
+                    models.Inventory.__table__.delete().where(
+                        models.Inventory.user_id.in_(deleted_user_ids)
+                    )
+                )
+
+                await db.execute(
+                    models.CompletedDungeon.__table__.delete().where(
+                        models.CompletedDungeon.user_id.in_(deleted_user_ids)
+                    )
+                )
+
+                await db.execute(
+                    models.Fight.__table__.delete().where(
+                        (models.Fight.attacker_id.in_(deleted_user_ids)) |
+                        (models.Fight.defender_id.in_(deleted_user_ids))
+                    )
+                )
 
             await db.execute(
                 models.Fight.__table__.delete().where(
@@ -613,7 +633,6 @@ async def cleanup_old_records():
             dungeons_subquery = select(models.Dungeon.id).where(
                 (models.Dungeon.one_time_clear == False) | (models.Dungeon.one_time_clear == None)
             )
-
             await db.execute(
                 models.CompletedDungeon.__table__.delete().where(
                     models.CompletedDungeon.completion_timestamp < ten_minutes_ago,
@@ -659,6 +678,7 @@ async def cleanup_old_records():
             await db_gen.aclose()
 
 
+
 @app.post("/images/upload", status_code=status.HTTP_201_CREATED)
 async def upload_dungeon_image(file: UploadFile = File(...),
                                current_user: schemas.User = Depends(get_current_active_user)):
@@ -684,10 +704,19 @@ async def upload_dungeon_image(file: UploadFile = File(...),
 
     return {"filename": safe_filename, "detail": "Image uploaded successfully to user directory."}
 
+UPLOADS_DIR = os.path.abspath("uploads")
+
 @app.get("/images/{filename:path}")
-async def get_private_dungeon_image(filename: str, current_user: schemas.User = Depends(get_current_active_user)):
+async def get_private_dungeon_image(
+    filename: str,
+    current_user: schemas.User = Depends(get_current_active_user)
+):
+    user_image_path = os.path.abspath(
+        os.path.join(UPLOADS_DIR, current_user.username, filename)
+    )
 
-    user_image_path = f"uploads/{current_user.username}/{filename}"
+    if not user_image_path.startswith(UPLOADS_DIR + os.sep):
+        raise HTTPException(status_code=404, detail="Image not found or you do not have permission to access it.")
 
     if not os.path.exists(user_image_path):
         raise HTTPException(status_code=404, detail="Image not found or you do not have permission to access it.")

service/backend/database.py

@@ -77,6 +77,6 @@ class CompletedDungeon(Base):
     id = Column(Integer, primary_key=True, index=True)
     user_id = Column(Integer, ForeignKey("users.id"))
     dungeon_id = Column(Integer, ForeignKey("dungeons.id"))
-    completion_timestamp = Column(String)
+    completion_timestamp = Column(DateTime, default=datetime.utcnow, index=True)
     user = relationship("User", back_populates="completed_dungeons")
     dungeon = relationship("Dungeon")

service/backend/main.py

@@ -98,7 +98,7 @@ class CompletedDungeon(BaseModel):
     id: int
     user_id: int
     dungeon_id: int
-    completion_timestamp: str
+    completion_timestamp: datetime
 
     class Config:
         orm_mode = True

service/backend/models.py

@@ -6,7 +6,7 @@ import AuthenticatedImage from '../components/AuthenticatedImage';
 const DungeonsPage = () => {
     const [dungeons, setDungeons] = useState([]);
     const [message, setMessage] = useState('');
-    const [user, setUser] = useState(null); // State to store the user object
+    const [user, setUser] = useState(null);
     const [userPower, setUserPower] = useState(0);
     const API_URL = import.meta.env.VITE_API_URL;
     const navigate = useNavigate();
@@ -30,7 +30,7 @@ const DungeonsPage = () => {
     const fetchUser = async () => {
         try {
             const response = await getMe();
-            setUser(response.data); // Store the whole user object
+            setUser(response.data);
             setUserPower(response.data.power);
         } catch (error) {
             console.error('Error fetching user data:', error);
@@ -66,7 +66,6 @@ const DungeonsPage = () => {
             <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-6">
                 {dungeons.length > 0 ? (
                     dungeons.map((dungeon) => {
-                        // Use the user state and the correct property 'username'
                         if (dungeon.owner === "all" || (user && dungeon.owner === user.username)) {
                             let imageComponent = null;
                             if (dungeon.image_name) {
@@ -84,7 +83,7 @@ const DungeonsPage = () => {
                                     imageComponent = (
                                         <img
                                             src={publicImageUrl}
-                                            alt={dungeon.name}
+                                            alt="Sometimes it's the things you can't see ;)"
                                             className="w-full h-80 object-cover rounded-md mb-4"
                                         />
                                     );