making a form purely with flask-wtf

[snippsat]

how would i go about when they hit the submit button it runs a powershell command with the variables the user has inputted

On Server get values back so here i just use new_password(can use any field) and use subprocess to run this command line argument.
ls(list files) not in standar Windows use dir,so see that in now list files in folder.

new_password = form.new_password.data
print(new_password) # ls
result = subprocess.run([new_password], capture_output=True, text=True)
print(result.stdout)

G:\all_flask\2024\wtf_env
(wtf_env) λ flask --app test1 run
 * Serving Flask app 'test1'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit
127.0.0.1 - - [30/May/2024 23:38:15] "GET / HTTP/1.1" 200 -
ls
__pycache__
Include
Lib
pyvenv.cfg
Scripts
templates
test.py
test1.py

prod
127.0.0.1 - - [30/May/2024 23:38:22] "POST / HTTP/1.1" 200 -

[robertkwild]

how would i go about when they hit the submit button it runs a powershell command with the variables the user has inputted

On Server get values back so here i just use new_password(can use any field) and use subprocess to run this command line argument.
ls(list files) not in standar Windows use dir,so see that in now list files in folder.

new_password = form.new_password.data
print(new_password) # ls
result = subprocess.run([new_password], capture_output=True, text=True)
print(result.stdout)

G:\all_flask\2024\wtf_env
(wtf_env) λ flask --app test1 run
 * Serving Flask app 'test1'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit
127.0.0.1 - - [30/May/2024 23:38:15] "GET / HTTP/1.1" 200 -
ls
__pycache__
Include
Lib
pyvenv.cfg
Scripts
templates
test.py
test1.py

prod
127.0.0.1 - - [30/May/2024 23:38:22] "POST / HTTP/1.1" 200 -

your first lines of codes, i imagine i write that in my password.py script and not in the index.html

sorry snippsat i dont see the powershell command that you wrote, is it just the ls but in powershell terms it will be dir

[snippsat]

sorry snippsat i dont see the powershell command that you wrote, is it just the ls but in powershell terms it will be dir

So now in Browser i type * in new_password and use this in PowerShell command to list files.
Just mention this is normal stuff to do,
but a you see it work this has of course some security concerns taking input for a website and run local stuff as PowerShell.

new_password = form.new_password.data
print(new_password) *
#result = subprocess.run([new_password], capture_output=True, text=True)
ps_command = f"Get-ChildItem -Path '{new_password}'"
# Execute the PowerShell command
result = subprocess.run(["powershell", "-Command", ps_command], capture_output=True, text=True)
print(result.stdout)
domain = form.domain.data

G:\all_flask\2024\wtf_env
(wtf_env) λ flask --app test1 run
 * Serving Flask app 'test1'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:5000
Press CTRL+C to quit
127.0.0.1 - - [31/May/2024 17:17:30] "GET / HTTP/1.1" 200 -
*


    Directory: G:\all_flask\2024\wtf_env


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        29.05.2024     22:13                Include
d-----        29.05.2024     22:13                Lib
d-----        29.05.2024     22:16                Scripts
d-----        30.05.2024     22:41                templates
d-----        31.05.2024     17:17                __pycache__
-a----        29.05.2024     22:13            184 pyvenv.cfg
-a----        30.05.2024     18:50            969 test.py
-a----        31.05.2024     17:17           1464 test1.py

prod
127.0.0.1 - - [31/May/2024 17:17:54] "POST / HTTP/1.1" 200 -

[robertkwild]

if its a security concern what other way do you recommend doing what i want to do

[snippsat]

if its a security concern what other way do you recommend doing what i want to do

Not sure what task you trying to do.
It can be ok if check input and don't allow all command that can be given to Powershell.
Eg this would delete a local file or worse if do Remove-Item -Path C:/*.* it start to delete all files on C:

import subprocess

new_password = 'Remove-Item -Path C:/bar/file-1.txt'
# Execute the PowerShell command
result = subprocess.run(["powershell", "-Command", new_password], capture_output=True, text=True)

So eg in previous post here f"Get-ChildItem -Path '{new_password}'" it's restricted to only use Get-ChildItem -Path.
Then cannot give full PS command that eg can delete files local from input in web-form.

[robertkwild]

if its a security concern what other way do you recommend doing what i want to do

Not sure what task you trying to do.
It can be ok if check input and don't allow all command that can be given to Powershell.
Eg this would delete a local file or worse if do Remove-Item -Path C:/*.* it start to delete all files on C:

import subprocess

new_password = 'Remove-Item -Path C:/bar/file-1.txt'
# Execute the PowerShell command
result = subprocess.run(["powershell", "-Command", new_password], capture_output=True, text=True)

So eg in previous post here f"Get-ChildItem -Path '{new_password}'" it's restricted to only use Get-ChildItem -Path.
Then cannot give full PS command that eg can delete files local from input in web-form.

im just going to get it to run a powershell command to change the users password ie

Set-ADAccountPassword -Identity username -OldPassword (ConvertTo-SecureString -AsPlainText "old_password" -Force) -NewPassword (ConvertTo-SecureString -AsPlainText "confirm" -Force) -Server domain

but im trying to do some validation but the equalto doesnt work and no idea why

from flask import Flask, render_template, request
from flask_wtf import FlaskForm
from wtforms import StringField, PasswordField, BooleanField, DecimalField, RadioField, SelectField, TextAreaField, FileField, validators, SubmitField
from wtforms.validators import InputRequired, Length, DataRequired, EqualTo, Regexp, ValidationError

app = Flask(__name__)
app.config['SECRET_KEY'] = 'secretkey'


class MyForm(FlaskForm):
    username = StringField('Username', [InputRequired('Required')])
    old_password = PasswordField('Old Password', [InputRequired('Required')])
    password = PasswordField('New Password', [InputRequired('Required'), EqualTo('confirm', message='Passwords must match'), Length(min=12)])
    confirm = PasswordField('Confirm New Password')
    domain = SelectField('domain', choices=[('prod', 'prod'), ('corp', 'corp')])
    submit = SubmitField('Submit')
    
@app.route('/', methods=['GET', 'POST'])
def index():
    form = MyForm()
    if form.validate_on_submit():
        username = form.username.data
        old_password = form.old_password.data
        password = form.password.data
        confirm = form.confirm.data
        domain = form.domain.data
        submit = form.submit.data
    return render_template('index.html', form=form)

if __name__ == '__main__':
    app.run()