chore(deps): update dependency ctfd/ctfd to v3.8.2

[renovate]

This PR contains the following updates:

Package	Update	Change
ctfd/ctfd	minor	3.7.7 → 3.8.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

ctfd/ctfd (ctfd/ctfd)

v3.8.2

Compare Source

Security

• Fixes a vulnerability where a malicious admin user could import a crafted zip file to write files arbitrarily depending on the deployment

General

• When a user is submission ratelimited, those submissions will now be the ratelimit submission type instead of incorrect
• Fix issues with ratelimiting on max attempt challenges
• Switch max attempt timeout messaging to seconds instead of minutes
• Fix issue where users would get an error when solving an already solved challenge

Plugins

• Add Ratelimiteds submission class
• Add BaseChallenge.ratelimited() method which creates Ratelimiteds submissions
• Add force_all parameter to CTFd.plugins.migrations.upgrade() to allow plugins to decide if they want to force run all migrations
• Add app.overridden_functions global which allows plugin developers to override functions that support the behavior
• Raise ChallengeSolveException in BaseChallenge.solve() when encountering a duplicate solve situation

Themes

• Mark required fields in registration, login, and custom fields with a red asterisk

Deployment

• The provided Docker Compose file will no longer use the root user and instead use the provided ctfd user
• Add PUT method to IP address tracking

Translations

• Add Norwegian, Turkish, Croatian translation

v3.8.1

Compare Source

Security

• Make challenge attempt ratelimit stricter
• Make reset password ratelimit stricter and apply per-account

General

• Integrates dynamic scoring into the standard challenge type
  • All challenges will now have initial, decay, minimum, function columns available through the standard challenge type
  • Scoring logic for challenges can be configured with the function field
  • The dynamic value challenge plugin will remain supported until CTFd 4.0
• Add solved solution visibility to challenge solutions
  • This only allows a user to view a challenge's solution if they've solved the associated challenge

Admin Panel

• Add bulk editing for solution visibility in the Admin Panel Challenges page

API

• Change GET /api/v1/solutions/[solution_id] to return 404 if a solution is hidden instead of a 403
• Add /api/v1/challenges/[challenge_id]/solution endpoint to check if a challenge solution is accessible

Themes

• CTFd.js has been bumped to 0.0.19
• challenges.js now has additional functions getSolutionState and setSolutionId to allow the UI to determine if a solution is accessible

Deployment

• Fixes issues where preset admins would not be created
• Add RUN_ID config which specifies a token which will be used as a cache-buster URL parameter
• Add EXTRA_CONFIGS_FORCE_TYPES config to allow server admins to force types for configs specified in the [extra] section
• If UPDATE_CHECK is disabled the update prompt banner should be properly disabled
• Fix issue where users would be put into an infinite loop if confirm emails is enabled without having an email server configured

Translations

• Add Uzbek and Hebrew languages

v3.8.0

Compare Source

General

• Admins can now configure whether users can see their past submissions
• Admins can now store challenge solutions within CTFd to be viewed by users
• Participants can now leave upvotes/downvotes on challenges as well as their review of a challenge
  • Ratings/Votes can be configured to be viewed by participants or only admins
  • Reviews are only visible by admins
• Challenges now have the logic field which allows for challenge developers to control the flag collection behavior of a challenge:
  • any: any flag is accepted for the challenge
  • all: all flags for the challenge must be submitted
  • team: all team members must submit any flag
• Max Attempts can now behave as a timeout instead of a lockout
  • For example a user who submits 3 attempts will then be prevented from submitting another attempt for 5 minutes instead of being unable to submit entirely
• Social Shares for challenge completion are now enabled by default and admins may now control the social share template page
• Additional attempts after solving on challenges will now show if the submissions is correct/incorrect
• If email sending is available, email confirmation is enabled by default and users are nudged to complete email verification.
• Hints can now have a title that is shown before unlocking
• Hints now always require unlocking even if they require no cost
  • Prevents accidental viewing and improves tracking of hint usage
• CTFd will now store a tracking event under challenges.open in the Tracking table when a challenge is opened for the first time by a user
• Challenges now report whether a flag is correct or incorrect even if the challenge has already been solved
• Fixes issue where admins could not download challenge files before CTF start when downloading anonymously

Admin Panel

• Added a matrix scoreboard to the Statistics page to show player progression through the CTF
• Added support for brackets in the Admin Panel scoreboard
• Added config option for minimum password length
• Added config option to control whether players can view their previous submissions
• Admins can now require users to change their password upon login
• Added config option to control Max Attempts behavior
• In the Admin Panel challenge preview, admins now only see free hints
• Fixed issue where the hint form was not resetting properly when creating multiple hints

API

• Added /api/v1/users/me/submissions for users to retrieve their own submissions
• Added /api/v1/challenges/[challenge_id]/solutions for users to retrieve challenge solutions
• Added /api/v1/challenges/[challenge_id]/ratings for users to submit ratings and for admins to retrieve them
• Added ratings and rating fields to the response of /api/v1/challenges/[challenge_id]
• Added solution_id to the response of /api/v1/challenges/[challenge_id]
  • If no solution is available, the field is null
• Added logic field to the response of /api/v1/challenges/[challenge_id]
• Added change_password field to /api/v1/users/[user_id] when viewed as an admin
• Added /api/v1/solutions and /api/v1/solutions/[solution_id] endpoints
• /api/v1/unlocks is now also used to unlock solutions for user viewing

Deployment

• Added PRESET_ADMIN_NAME, PRESET_ADMIN_EMAIL, PRESET_ADMIN_PASSWORD, and PRESET_ADMIN_TOKEN to config.ini for pre-creating an admin user
  • Useful for automated deployments and ensuring a known admin token exists
• Added PRESET_CONFIGS to config.ini for pre-setting server-side configs
  • Useful for configuring CTFd without completing setup or using the API
• Added EMAIL_CONFIRMATION_REQUIRE_INTERACTION to config.ini to require additional interaction for email confirmation links
  • Improves compatibility with certain anti-phishing defenses
• Email confirmation is now enabled whenever email sending is available
• Replaced pybluemonday with nh3 (due to breakage in Python modules written in Golang)
• Updated Flask to 2.1.3
• Updated Werkzeug to 2.2.3

Plugins

• Challenge Type Plugins should now return a ChallengeResponse object instead of a (status, message) tuple
  • Existing behavior is supported until CTFd 4.0
• Added BaseChallenge.partial for challenge classes to indicate partial solves (for all flag logic)

Themes

• The core-beta theme has been promoted to core
  • The core-beta repo has been replaced with the core-theme repo. Future changes should be made in the main CTFd repo and these changes will be copied over to the core-theme repo.
• The previous core theme has been deprecated and renamed core-deprecated

---

Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.