Added Labs: Under Security Labs Added More Labs

[Nachiket-Roy]

Added more labs in security labs section

Run :
python manage.py create_initial_labs
python manage.py create_idor_tasks
python manage.py create_file_upload_tasks
python manage.py create_data_exposure_tasks
python manage.py create_open_redirect_tasks
python manage.py create_ssrf_tasks
python manage.py create_broken_auth_tasks

Summary by CodeRabbit

• New Features

  • Added management commands to create/update complete task sets (theory, MCQ, simulation) for multiple labs: Broken Authentication, Sensitive Data Exposure, File Upload, IDOR, Open Redirect, and SSRF, with automatic totals update.
  • Enhanced task detail page with dynamic per-lab payload inputs, MCQ submission with instant feedback, and simulation payload testing, all with visible success/failure results.

• Refactor

  • Reorganized task detail layout into clearer sections for theory, knowledge check, and simulations with consistent styling and modular client-side handlers.

[coderabbitai]

Walkthrough

Adds new Django management commands to seed tasks and content for multiple labs (Broken Authentication, Sensitive Data Exposure, File Upload, IDOR, Open Redirect, SSRF). Expands initial lab seeds. Refactors the task detail template to separate and streamline theory, MCQ, and simulation sections with client-side handlers and lab-specific payload inputs.

Changes

Cohort / File(s)	Summary
New lab seeding commands website/management/commands/create_broken_auth_tasks.py, website/management/commands/create_data_exposure_tasks.py, website/management/commands/create_file_upload_tasks.py, website/management/commands/create_idor_tasks.py, website/management/commands/create_open_redirect_tasks.py, website/management/commands/create_ssrf_tasks.py	Adds BaseCommand implementations to create/update tasks and TaskContent for respective labs, handling theory vs. simulation content, printing per-item status, and updating lab total task counts.
Initial labs expansion website/management/commands/create_initial_tasks.py	Extends the predefined labs list in the existing command; creation flow unchanged.
Task detail template refactor website/templates/task_detail.html	Restructures layout; distinct sections for theory, MCQ, and simulation. Adds lab-specific payload inputs, updated MCQ and simulation submission handlers, and feedback display.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Admin
  participant Django Mgmt as Django Management
  participant ORM as Models (Lab/Task/TaskContent)

  Admin->>Django Mgmt: python manage.py create_*_tasks
  Django Mgmt->>ORM: Get Lab by name
  alt Lab not found
    Django Mgmt-->>Admin: Error and exit
  else Lab found
    loop For each task in tasks_data
      Django Mgmt->>ORM: update_or_create(Task)
      alt Theory task
        Django Mgmt->>ORM: update_or_create(TaskContent: theory + MCQ)
      else Simulation task
        Django Mgmt->>ORM: update_or_create(TaskContent: simulation_config)
      end
    end
    Django Mgmt->>ORM: lab.update_total_tasks()
    Django Mgmt-->>Admin: Success summary
  end

Loading

sequenceDiagram
  autonumber
  actor User
  participant Browser as Task Detail Page
  participant Server as App Server
  participant API as Task/Validation Endpoints

  User->>Browser: View task_detail
  Browser-->>User: Render theory / MCQ / simulation sections

  User->>Browser: Submit MCQ
  Browser->>API: POST MCQ answer (CSRF)
  API-->>Browser: Result (correct/incorrect)
  Browser-->>User: Show MCQ feedback

  User->>Browser: Submit simulation payload
  Browser->>API: POST payload
  API-->>Browser: Evaluation result
  Browser-->>User: Show simulation feedback

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title Check	❓ Inconclusive	The title “Added Labs: Under Security Labs Added More Labs” is overly generic and redundant, failing to convey which specific labs or commands were introduced or the primary scope of the changes; it does not clearly summarize the main additions.	Consider renaming the pull request to a concise, descriptive title such as “Add Django management commands to create new security labs and tasks (IDOR, File Upload, Data Exposure, Open Redirect, SSRF, Broken Authentication)” so that it clearly reflects the main changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (16)

website/templates/task_detail.html (1)

274-341: Client-side handlers are well-implemented.

The JavaScript submission handlers correctly:

• Include CSRF tokens in fetch requests
• Handle errors gracefully
• Provide visual feedback for success/failure
• Prevent default form submission

One minor suggestion: consider replacing alert() calls with inline error messages for better UX consistency with the existing result displays.

Optional: Replace alert() with inline error messages:

     .catch(error => {
         console.error('Error:', error);
-        alert('An error occurred. Please try again.');
+        const resultDiv = document.getElementById('mcq-result');
+        const messageDiv = document.getElementById('result-message');
+        resultDiv.classList.remove('hidden');
+        messageDiv.textContent = 'An error occurred. Please try again.';
+        messageDiv.className = 'text-sm font-medium text-red-600';
     });

website/management/commands/create_file_upload_tasks.py (3)

8-8: Unused method parameters.

The args and kwargs parameters are standard in Django management commands but unused here. While this is a minor nitpick, you can clean it up for consistency.

-    def handle(self, *args, **kwargs):
+    def handle(self, *args, **options):

Or simply acknowledge they're unused by the Django framework pattern.

---

222-222: Unused unpacked variable.

The task_content variable from update_or_create() is never used. Prefix it with an underscore to indicate it's intentionally ignored.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

---

1-237: Consider extracting common command logic.

All six new lab seed commands share nearly identical structure (get lab, upsert tasks, update total). Consider creating a base class or helper function to reduce duplication and improve maintainability.

Example base class approach:

class BaseLabTaskCommand(BaseCommand):
    lab_name: str
    tasks_data: list

    def handle(self, *args, **options):
        try:
            lab = Labs.objects.get(name=self.lab_name)
        except Labs.DoesNotExist:
            self.stdout.write(self.style.ERROR(f"{self.lab_name} lab not found. Please run create_initial_labs first."))
            return

        for task_data in self.tasks_data:
            task, created = Tasks.objects.update_or_create(...)
            # ... rest of common logic
        
        lab.update_total_tasks()
        self.stdout.write(self.style.SUCCESS(f"{self.lab_name} lab setup complete with {lab.total_tasks} tasks"))

website/management/commands/create_ssrf_tasks.py (3)

8-8: Unused method parameters.

Same issue as in other command files - args and kwargs are unused.

---

238-238: Unused unpacked variable.

Prefix task_content with underscore to indicate it's intentionally unused.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

---

27-27: Ambiguous quotation marks in strings.

Lines 27 and 59 use RIGHT SINGLE QUOTATION MARK (') instead of APOSTROPHE ('). While this won't break functionality, it can cause encoding issues in some contexts.

Replace ambiguous quotes:

• Line 27: Server-Side Request Forgery (SSRF)? should use '
• Line 59: user's browser should use '

Also applies to: 59-59

website/management/commands/create_open_redirect_tasks.py (2)

8-8: Unused method parameters.

The args and kwargs parameters are unused.

---

227-227: Unused unpacked variable.

Prefix task_content with underscore.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

website/management/commands/create_broken_auth_tasks.py (2)

8-8: Unused method parameters.

The args and kwargs parameters are unused.

---

327-327: Unused unpacked variable.

Prefix task_content with underscore.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

website/management/commands/create_data_exposure_tasks.py (2)

8-8: Unused method parameters.

The args and kwargs parameters are unused.

---

269-269: Unused unpacked variable.

Prefix task_content with underscore.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

website/management/commands/create_idor_tasks.py (3)

8-8: Unused method parameters.

The args and kwargs parameters are unused.

---

180-180: Unused unpacked variable.

Prefix task_content with underscore.

-            task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)
+            _task_content, content_created = TaskContent.objects.update_or_create(task=task, defaults=content_data)

---

63-63: Ambiguous quotation marks in strings.

Lines 63, 69, and 82 use RIGHT SINGLE QUOTATION MARK (') instead of APOSTROPHE (').

Replace with standard apostrophes for better encoding compatibility.

Also applies to: 69-69, 82-82

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 82ad67c and 3698c10.

📒 Files selected for processing (8)

• website/management/commands/create_broken_auth_tasks.py (1 hunks)
• website/management/commands/create_data_exposure_tasks.py (1 hunks)
• website/management/commands/create_file_upload_tasks.py (1 hunks)
• website/management/commands/create_idor_tasks.py (1 hunks)
• website/management/commands/create_initial_tasks.py (1 hunks)
• website/management/commands/create_open_redirect_tasks.py (1 hunks)
• website/management/commands/create_ssrf_tasks.py (1 hunks)
• website/templates/task_detail.html (1 hunks)

🧰 Additional context used

🪛 Ruff (0.14.0)

website/management/commands/create_file_upload_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

222-222: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

website/management/commands/create_data_exposure_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

269-269: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

website/management/commands/create_idor_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

63-63: String contains ambiguous ’ (RIGHT SINGLE QUOTATION MARK). Did you mean ``` (GRAVE ACCENT)?

(RUF001)

---

69-69: String contains ambiguous ’ (RIGHT SINGLE QUOTATION MARK). Did you mean ``` (GRAVE ACCENT)?

(RUF001)

---

82-82: String contains ambiguous ’ (RIGHT SINGLE QUOTATION MARK). Did you mean ``` (GRAVE ACCENT)?

(RUF001)

---

180-180: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

website/management/commands/create_broken_auth_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

327-327: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

website/management/commands/create_open_redirect_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

227-227: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

website/management/commands/create_ssrf_tasks.py

8-8: Unused method argument: args

(ARG002)

---

8-8: Unused method argument: kwargs

(ARG002)

---

27-27: String contains ambiguous ’ (RIGHT SINGLE QUOTATION MARK). Did you mean ``` (GRAVE ACCENT)?

(RUF001)

---

59-59: String contains ambiguous ’ (RIGHT SINGLE QUOTATION MARK). Did you mean ``` (GRAVE ACCENT)?

(RUF001)

---

238-238: Unpacked variable task_content is never used

Prefix it with an underscore or any other dummy variable pattern

(RUF059)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Run Tests
• GitHub Check: docker-test

🔇 Additional comments (3)

website/management/commands/create_initial_tasks.py (1)

36-71: LGTM! Clean expansion of lab definitions.

The new lab entries follow the established pattern and provide clear, educational descriptions. The estimated times and ordering are consistent with the existing structure.

website/templates/task_detail.html (2)

146-244: LGTM! Per-lab payload inputs are well-organized.

The conditional rendering of lab-specific payload inputs with contextual placeholders is a good UX pattern. The fallback generic textarea ensures all labs are covered.

---

48-48: No XSS risk: theory_content is admin-only
theory_content is only modifiable via Django admin or management commands, so rendering it with |safe does not expose untrusted input.

[Copilot]

Pull Request Overview

This pull request adds six new security labs to the platform: Broken Authentication, IDOR, File Upload Vulnerabilities, Sensitive Data Exposure, Open Redirect, and SSRF. Each lab includes comprehensive theory and simulation tasks with MCQ questions and interactive payload testing.

Key Changes:

• Added 6 new security vulnerability labs with educational content
• Enhanced task detail template with dynamic per-lab payload inputs and improved UI
• Created Django management commands to populate labs with theory and simulation tasks

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
website/templates/task_detail.html	Enhanced with lab-specific payload inputs, improved layout, and refactored JavaScript handlers
website/management/commands/create_initial_tasks.py	Added 6 new lab definitions with descriptions and estimated completion times
website/management/commands/create_broken_auth_tasks.py	Complete task set for Broken Authentication lab covering default credentials, session fixation, JWT issues, and brute force
website/management/commands/create_idor_tasks.py	IDOR lab tasks covering theory and simulation scenarios for object reference vulnerabilities
website/management/commands/create_file_upload_tasks.py	File upload vulnerability tasks including web shell uploads, MIME type bypasses, and path traversal
website/management/commands/create_data_exposure_tasks.py	Sensitive data exposure lab with theory and simulations for various data leak scenarios
website/management/commands/create_open_redirect_tasks.py	Open redirect vulnerability lab covering phishing scenarios and bypass techniques
website/management/commands/create_ssrf_tasks.py	SSRF lab tasks including internal access, redirection chains, and filter bypasses