fix(submit): check flag length after decryption

GZTimeWalker · GZTimeWalker · commit b9c6c382b630 · 2025-06-01T12:53:10.000+08:00
diff --git a/src/GZCTF.Test/SignatureTest.cs b/src/GZCTF.Test/SignatureTest.cs
@@ -183,11 +183,14 @@ public void TestEncryptData()
         output.WriteLine("公钥：");
         output.WriteLine(Base64.ToBase64String(publicKey.GetEncoded()));
 
-        const string data = "Hello, GZCTF!";
+        var data = new string('0', 127);
+        output.WriteLine($"原始数据：({data.Length})\n{data}");
         var encryptedData = CryptoUtils.EncryptData(Encoding.UTF8.GetBytes(data), publicKey);
-        output.WriteLine($"加密数据：\n{Base64.ToBase64String(encryptedData)}");
+        var base64EncryptedData = Base64.ToBase64String(encryptedData);
+        output.WriteLine($"加密数据：({base64EncryptedData.Length})\n{base64EncryptedData}");
         var decryptedData = CryptoUtils.DecryptData(encryptedData, privateKey);
-        output.WriteLine($"解密数据：\n{Encoding.UTF8.GetString(decryptedData)}");
+        var decryptedString = Encoding.UTF8.GetString(decryptedData);
+        output.WriteLine($"解密数据：({decryptedString.Length})\n{decryptedString}");
         Assert.Equal(data, Encoding.UTF8.GetString(decryptedData));
     }
 }
diff --git a/src/GZCTF/ClientApp/src/Api.ts b/src/GZCTF/ClientApp/src/Api.ts
@@ -1722,9 +1722,7 @@ export interface ClientFlagContext {
 export interface FlagSubmitModel {
   /**
    * Flag content
-   * Fix: Prevent accidental submissions from the frontend (number/float/null) that may be incorrectly converted
    * @minLength 1
-   * @maxLength 127
    */
   flag: string;
 }
diff --git a/src/GZCTF/ClientApp/src/components/GameChallengeModal.tsx b/src/GZCTF/ClientApp/src/components/GameChallengeModal.tsx
@@ -154,6 +154,7 @@ export const GameChallengeModal: FC<GameChallengeModalProps> = (props) => {
       })
     } catch (e) {
       showErrorNotification(e, t)
+      setDisabled(false)
     }
   }
 
diff --git a/src/GZCTF/Controllers/GameController.cs b/src/GZCTF/Controllers/GameController.cs
@@ -7,6 +7,7 @@
 using FluentStorage;
 using FluentStorage.Blobs;
 using GZCTF.Middlewares;
+using GZCTF.Models;
 using GZCTF.Models.Internal;
 using GZCTF.Models.Request.Admin;
 using GZCTF.Models.Request.Game;
@@ -844,6 +845,10 @@ public async Task<IActionResult> GetChallenge([FromRoute] int id, [FromRoute] in
     public async Task<IActionResult> Submit([FromRoute] int id, [FromRoute] int challengeId,
         [FromBody] FlagSubmitModel model, CancellationToken token)
     {
+        var answer = configService.DecryptApiData(model.Flag).Trim();
+        if (answer.Length > Limits.MaxFlagLength)
+            return BadRequest(new RequestResponse(localizer[nameof(Resources.Program.Model_FlagTooLong)]));
+
         var context = await GetContextInfo(id, challengeId, token: token);
 
         if (context.Result is not null)
@@ -858,7 +863,7 @@ public async Task<IActionResult> Submit([FromRoute] int id, [FromRoute] int chal
             Participation = context.Participation!,
             Status = AnswerResult.FlagSubmitted,
             SubmitTimeUtc = DateTimeOffset.UtcNow,
-            Answer = configService.DecryptApiData(model.Flag).Trim()
+            Answer = answer
         };
 
         submission = await submissionRepository.AddSubmission(submission, token);
diff --git a/src/GZCTF/Models/Request/Game/FlagSubmitModel.cs b/src/GZCTF/Models/Request/Game/FlagSubmitModel.cs
@@ -9,11 +9,8 @@ public class FlagSubmitModel
 {
     /// <summary>
     /// Flag content
-    /// Fix: Prevent accidental submissions from the frontend (number/float/null) that may be incorrectly converted
     /// </summary>
     [Required(ErrorMessageResourceName = nameof(Resources.Program.Model_FlagRequired),
         ErrorMessageResourceType = typeof(Resources.Program))]
-    [MaxLength(Limits.MaxFlagLength, ErrorMessageResourceName = nameof(Resources.Program.Model_FlagTooLong),
-        ErrorMessageResourceType = typeof(Resources.Program))]
     public string Flag { get; set; } = string.Empty;
 }

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,7 @@ export const GameChallengeModal: FC<GameChallengeModalProps> = (props) => {`
`154`	`154`	`})`
`155`	`155`	`} catch (e) {`
`156`	`156`	`showErrorNotification(e, t)`
	`157`	`+ setDisabled(false)`
`157`	`158`	`}`
`158`	`159`	`}`
`159`	`160`
Original file line number	Diff line number	Diff line change
`@@ -9,11 +9,8 @@ public class FlagSubmitModel`
`9`	`9`	`{`
`10`	`10`	`/// <summary>`
`11`	`11`	`/// Flag content`
`12`		`- /// Fix: Prevent accidental submissions from the frontend (number/float/null) that may be incorrectly converted`
`13`	`12`	`/// </summary>`
`14`	`13`	`[Required(ErrorMessageResourceName = nameof(Resources.Program.Model_FlagRequired),`
`15`	`14`	`ErrorMessageResourceType = typeof(Resources.Program))]`
`16`		`- [MaxLength(Limits.MaxFlagLength, ErrorMessageResourceName = nameof(Resources.Program.Model_FlagTooLong),`
`17`		`- ErrorMessageResourceType = typeof(Resources.Program))]`
`18`	`15`	`public string Flag { get; set; } = string.Empty;`
`19`	`16`	`}`