Python: Add flask xss examples to flask tests

This commit is contained in:
Rasmus Wriedt Larsen 2019-10-16 13:58:17 +02:00
Родитель 8476bc7d42
Коммит 3ad43f32b6
5 изменённых файлов: 28 добавлений и 1 удалений

Просмотреть файл

@ -1,4 +1,6 @@
| / | Function hello |
| /dangerous | Function dangerous |
| /dangerous-with-cfg-split | Function dangerous2 |
| /safe | Function safe |
| /the/ | Function get |
| /unsafe | Function unsafe |

Просмотреть файл

@ -2,3 +2,7 @@
| test.py:29 | Attribute() | externally controlled string |
| test.py:35 | Subscript | externally controlled string |
| test.py:36 | None | externally controlled string |
| test.py:41 | BinaryExpr | externally controlled string |
| test.py:41 | make_response() | externally controlled string |
| test.py:46 | BinaryExpr | externally controlled string |
| test.py:46 | make_response() | externally controlled string |

Просмотреть файл

@ -2,3 +2,5 @@
| test.py:29 | Attribute | {externally controlled string} |
| test.py:33 | Attribute | {externally controlled string} |
| test.py:35 | Attribute | {externally controlled string} |
| test.py:40 | Attribute | {externally controlled string} |
| test.py:45 | Attribute | {externally controlled string} |

Просмотреть файл

@ -6,3 +6,12 @@
| test.py:33 | Subscript | externally controlled string |
| test.py:35 | Attribute | {externally controlled string} |
| test.py:35 | Subscript | externally controlled string |
| test.py:40 | Attribute | {externally controlled string} |
| test.py:40 | Attribute() | externally controlled string |
| test.py:41 | BinaryExpr | externally controlled string |
| test.py:41 | first_name | externally controlled string |
| test.py:41 | make_response() | flask.Response |
| test.py:45 | Attribute | {externally controlled string} |
| test.py:45 | Attribute() | externally controlled string |
| test.py:46 | first_name | externally controlled string |
| test.py:46 | make_response() | flask.Response |

Просмотреть файл

@ -1,6 +1,6 @@
import flask
from flask import Flask, request
from flask import Flask, request, make_response
app = Flask(__name__)
@app.route("/")
@ -34,3 +34,13 @@ def dangerous2():
if request.method == "POST":
return request.form['param1']
return None
@app.route('/unsafe')
def unsafe():
first_name = request.args.get('name', '')
return make_response("Your name is " + first_name)
@app.route('/safe')
def safe():
first_name = request.args.get('name', '')
return make_response("Your name is " + escape(first_name))