axomestudios / austeritas Goto Github PK

Describe the bug
The documentation is prompting you to deactivate the venv too early.

To Reproduce
Steps to reproduce the behavior:

1. Open the "How to install" page on the wiki
2. Follow the installation steps
3. see deactivate too early as nginx and gunicorn need to be installed using the venv

Expected behavior
The venv will not get deactivated till the end of installation.

Additional context
None

Describe the bug
The translations in the according files are outdated and do not represent the new files.

To Reproduce
Steps to reproduce the behavior:

1. Search for the translation of "Player is banned" in a translation file.
2. The referenced python source file is not existent anymore.

Expected behavior
All translations match their correct notation/ID and do reference currently present python source files.

Is your feature request related to a problem? Please describe.
The maintenance of a codebase not using a src directory can get very challenging over time as non-code files are getting mixed up with code.

Describe the solution you'd like
By moving all necessary files used by the code into a folder called src, app, austeritas or similar, more conciseness can be achieved.

Describe alternatives you've considered
An alternative would be to move non-code files in their own directory, but this is very uncommon and does not work as well.

Is your feature request related to a problem? Please describe.
A lot of people are cheating often. Banning known cheaters on every Austeritas instance would be effective.

Describe the solution you'd like
Austeritas could warn the server owner about known usernames and immediately ban players on the list of known people.

Additional context
None.

Describe the bug
Austeritas is not able to catch cheaters when written in the wrong case.

To Reproduce
Steps to reproduce the behavior:

1. Write "player123" into the banned.json list
2. Start Austeritas
3. Anywhere, enter "Player123"
4. Austeritas will not catch the cheater.

Expected behavior
Austeritas should ignore upper- or lowercase letters in the query.

This issue does NOT have a high severity as Austeritas hashes the password with bcrypt later on in the process, so for an attacker, it's not a highly applicable vulnerability.

Still, this extra-step of inbetween hashing to SHA-256 is unnecessary and causes lots of false positives on the code scanning CI/CD pipe. Removing it may slightly increase security + remove the alerts.

Describe the bug
There is code for updating the global ban list, yet it remains unused.

To Reproduce
Search the repository's files for "run_update()". You will only find its definition.

Expected behavior
There is at least one execution of "run_update()", best placed at an asynchronous task.

There is an unused import of flask_limiter in internals/limiting.py

Is your feature request related to a problem? Please describe.
The banned/kicked player does not know why the punishment happened in particular.

Describe the solution you'd like
The reason could be shown online on the information gathering site and be shown on kick/ban.

Is your feature request related to a problem? Please describe.
Using JSON files is okay for constants and rarely used content, but not for dynamic, fastly-changing data.

Describe the solution you'd like
Migrating to SQLite would fix this problem.

Additional context
ANY potential injection attacks have to be mitigated before pushing to production. CodeQL analysis must be read through.