зеркало из https://github.com/github/codeql.git
Python: Add flask xss examples to flask tests
This commit is contained in:
Родитель
8476bc7d42
Коммит
3ad43f32b6
|
@ -1,4 +1,6 @@
|
|||
| / | Function hello |
|
||||
| /dangerous | Function dangerous |
|
||||
| /dangerous-with-cfg-split | Function dangerous2 |
|
||||
| /safe | Function safe |
|
||||
| /the/ | Function get |
|
||||
| /unsafe | Function unsafe |
|
||||
|
|
|
@ -2,3 +2,7 @@
|
|||
| test.py:29 | Attribute() | externally controlled string |
|
||||
| test.py:35 | Subscript | externally controlled string |
|
||||
| test.py:36 | None | externally controlled string |
|
||||
| test.py:41 | BinaryExpr | externally controlled string |
|
||||
| test.py:41 | make_response() | externally controlled string |
|
||||
| test.py:46 | BinaryExpr | externally controlled string |
|
||||
| test.py:46 | make_response() | externally controlled string |
|
||||
|
|
|
@ -2,3 +2,5 @@
|
|||
| test.py:29 | Attribute | {externally controlled string} |
|
||||
| test.py:33 | Attribute | {externally controlled string} |
|
||||
| test.py:35 | Attribute | {externally controlled string} |
|
||||
| test.py:40 | Attribute | {externally controlled string} |
|
||||
| test.py:45 | Attribute | {externally controlled string} |
|
||||
|
|
|
@ -6,3 +6,12 @@
|
|||
| test.py:33 | Subscript | externally controlled string |
|
||||
| test.py:35 | Attribute | {externally controlled string} |
|
||||
| test.py:35 | Subscript | externally controlled string |
|
||||
| test.py:40 | Attribute | {externally controlled string} |
|
||||
| test.py:40 | Attribute() | externally controlled string |
|
||||
| test.py:41 | BinaryExpr | externally controlled string |
|
||||
| test.py:41 | first_name | externally controlled string |
|
||||
| test.py:41 | make_response() | flask.Response |
|
||||
| test.py:45 | Attribute | {externally controlled string} |
|
||||
| test.py:45 | Attribute() | externally controlled string |
|
||||
| test.py:46 | first_name | externally controlled string |
|
||||
| test.py:46 | make_response() | flask.Response |
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
import flask
|
||||
|
||||
from flask import Flask, request
|
||||
from flask import Flask, request, make_response
|
||||
app = Flask(__name__)
|
||||
|
||||
@app.route("/")
|
||||
|
@ -34,3 +34,13 @@ def dangerous2():
|
|||
if request.method == "POST":
|
||||
return request.form['param1']
|
||||
return None
|
||||
|
||||
@app.route('/unsafe')
|
||||
def unsafe():
|
||||
first_name = request.args.get('name', '')
|
||||
return make_response("Your name is " + first_name)
|
||||
|
||||
@app.route('/safe')
|
||||
def safe():
|
||||
first_name = request.args.get('name', '')
|
||||
return make_response("Your name is " + escape(first_name))
|
||||
|
|
Загрузка…
Ссылка в новой задаче