Solved issue #607 - Allow to query for passwords in CowrieSession API

[IshaanXCoder]

Solved #607

Description

This PR adds the ability to query CowrieSession API by password, in addition to the existing IP address and SHA-256 hash query methods.

Changes Made

1. Added password query support to /api/cowrie_session endpoint:

   • Users can now query sessions by providing a password string
   • The query searches for credentials matching the pattern " | {password}" in the credentials array field
   • Returns 404 if no sessions are found with the specified password

2. Added GIN index on CowrieSession.credentials field:

   • Migration 0023_add_gin_index_credentials.py creates a GIN index for efficient array searches
   • Thi improves query performance when searching through the credentials array

3. Added input validation:

   • Rejects 64 character strings that aren't valid SHA-256 hashes
   • Rejects strings with dots that aren't valid IP addresses

4. Tested the functions i added:

   • test_password_query: Valid password query returns correct results
   • test_password_query_not_found: Non-existent password returns 404
   • test_password_query_with_session_data: Password query with session data included

Type of change

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project.
• The pull request is for the branch develop. (Please verify this is correct)
• I have added documentation of the new features. (Updated docstring in cowrie_session_view)
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved. All the tests (new and old ones) gave 0 errors.
• If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md). (Updated view docstring)
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
20141940	Triggered	Username Password	127d67a	tests/authentication/test_auth.py	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[regulartim]

At this point we are sure that observable is no sha256 hash, because we already tested it in line 83, right? So no need to check it again.

[regulartim]

Why do you exclude those characters? And why do you exclude "."? There might be passwords containing these characters.

[regulartim]

Why did you manually make a migration instead of adding the index to models.py?

[regulartim]

Please do not execute raw SQL code on the database. Django has an excellent object-relational mapper for querying the database. Use it.

[regulartim]

Same: at this point we already know it is not an IP address (checked in line 78).

[regulartim]

Hey @IshaanXCoder ! Thank you for your contribution. :) I looked at your code and made a few comments. I really don't think we should use raw SQL in this project. You have to change it in order to get this PR merged.
Also, it seems like your PR contains the full history of the main branch, which is very strange. Please also try to fix that.

[regulartim]

Are you still working on this PR, @IshaanXCoder ?

[IshaanXCoder]

Yes I'm interested to continue my work on this, right now i'm working on anotehr issue, will be back on this right after completing the current one. sorry for the delay.

[regulartim]

No problem, take your time. Just wanted to make sure you're still interested.

[IshaanXCoder]

Heyy @regulartim i've made the required changes, to solve the issue of this "full history of the main branch", i'm closing this PR and creating a new PR if that's okay?

[mlodic]

yep, feel free to close and reopen a clean PR

[IshaanXCoder]

Closing this PR, the clean version is #641