From 639eafb0bf24bb82aaa54fa4aa453b1b1e8bf23e Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 11 Oct 2024 12:47:54 -0400 Subject: [PATCH 1/2] test semgrep for directly-returned-format-string and nan-injection --- app.py | 50 +- routes/wow.py | 53 +++ semgrep.config.yaml | 811 +++++++++++++++++++++++++++++++++ templates/petshoppinglist.html | 8 +- 4 files changed, 869 insertions(+), 53 deletions(-) diff --git a/app.py b/app.py index d40c221..86d22e2 100644 --- a/app.py +++ b/app.py @@ -446,55 +446,7 @@ def megaitemnames(): ) ) - -@app.route("/petshoppinglist", methods=["GET", "POST"]) -def petshoppinglist(): - return redirect("https://saddlebagexchange.com/wow/shopping-list") - - # DEPRECIATED - if request.method == "GET": - return return_safe_html(render_template("petshoppinglist.html")) - elif request.method == "POST": - json_data = { - "region": request.form.get("region"), - "itemID": int(request.form.get("petID")), - "maxPurchasePrice": int(request.form.get("maxPurchasePrice")), - "connectedRealmIDs": {}, - } - - response = requests.post( - f"{api_url}/wow/shoppinglistx", - headers={"Accept": "application/json"}, - json=json_data, - ).json() - - if "data" not in response: - logger.error( - f"Error no matching data with given inputs {json_data} response {response}" - ) - if NO_RATE_LIMIT: - return f"Error no matching data with given inputs {json_data} response {response}" - # send generic error message to remove XSS potential - return f"error no matching results found matching search inputs" - - response = response["data"] - - column_order = [ - "realmID", - "price", - "quantity", - "realmName", - "realmNames", - "link", - ] - response = [{key: item.get(key) for key in column_order} for item in response] - fieldnames = list(response[0].keys()) - - return return_safe_html( - render_template( - "petshoppinglist.html", results=response, fieldnames=fieldnames, len=len - ) - ) + @app.route("/petmarketshare", methods=["GET", "POST"]) diff --git a/routes/wow.py b/routes/wow.py index a69423d..597514c 100644 --- a/routes/wow.py +++ b/routes/wow.py @@ -90,4 +90,57 @@ def wow_outofstock_api(): fieldnames=fieldnames, len=len, ) + ) + +@wow_bp.route("/petshoppinglist", methods=["GET", "POST"]) +def petshoppinglist(): + # return redirect("https://saddlebagexchange.com/wow/shopping-list") + + # DEPRECIATED + if request.method == "GET": + return return_safe_html(render_template("petshoppinglist.html")) + elif request.method == "POST": + json_data = { + "region": request.form.get("region"), + "itemID": int(request.form.get("petID")), + "maxPurchasePrice": int(request.form.get("maxPurchasePrice")), + "connectedRealmIDs": {}, + } + + print(json_data) + + response = requests.post( + f"{api_url}/wow/shoppinglistx", + headers={"Accept": "application/json"}, + json=json_data, + ).json() + + print(response) + + if "data" not in response: + print( + f"Error no matching data with given inputs {json_data} response {response}" + ) + if NO_RATE_LIMIT: + return f"Error no matching data with given inputs {json_data} response {response}" + # send generic error message to remove XSS potential + return f"error no matching results found matching search inputs" + + response = response["data"] + + column_order = [ + "realmID", + "price", + "quantity", + "realmName", + "realmNames", + "link", + ] + response = [{key: item.get(key) for key in column_order} for item in response] + fieldnames = list(response[0].keys()) + + return return_safe_html( + render_template( + "petshoppinglist.html", results=response, fieldnames=fieldnames, len=len + ) ) \ No newline at end of file diff --git a/semgrep.config.yaml b/semgrep.config.yaml index 8d69f5a..f1151a5 100644 --- a/semgrep.config.yaml +++ b/semgrep.config.yaml @@ -1,4 +1,147 @@ rules: +- id: directly-returned-format-string + message: >- + Detected Flask route directly returning a formatted string. This + is subject to cross-site scripting if user input can reach the string. + Consider using the template engine instead and rendering pages with + 'render_template()'. + metadata: + cwe: + - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - flask + references: + - https://owasp.org/Top10/A03_2021-Injection + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM + confidence: MEDIUM + languages: + - python + severity: WARNING + mode: taint + pattern-sources: + - pattern-either: + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $PARAM, ...): + ... + - pattern: $PARAM + - pattern: | + request.$FUNC.get(...) + - pattern: | + request.$FUNC(...) + - pattern: request.$FUNC[...] + pattern-sinks: + - patterns: + - pattern-not-inside: return "..." + - pattern-either: + - pattern: return "...".format(...) + - pattern: return "..." % ... + - pattern: return "..." + ... + - pattern: return ... + "..." + - pattern: return f"...{...}..." + - patterns: + - pattern: return $X + - pattern-either: + - pattern-inside: | + $X = "...".format(...) + ... + - pattern-inside: | + $X = "..." % ... + ... + - pattern-inside: | + $X = "..." + ... + ... + - pattern-inside: | + $X = ... + "..." + ... + - pattern-inside: | + $X = f"...{...}..." + ... + - pattern-not-inside: | + $X = "..." + ... + +- id: csv-writer-injection + languages: + - python + message: Detected user input into a generated CSV file using the built-in `csv` module. If user data + is used to generate the data in this file, it is possible that an attacker could inject a formula + when the CSV is imported into a spreadsheet application that runs an attacker script, which could + steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` + is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. + You can use `defusedcsv` instead of `csv` to safely generate CSVs. + metadata: + category: security + confidence: MEDIUM + cwe: + - 'CWE-1236: Improper Neutralization of Formula Elements in a CSV File' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://github.com/raphaelm/defusedcsv + - https://owasp.org/www-community/attacks/CSV_Injection + - https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities + technology: + - python + - flask + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + mode: taint + pattern-sinks: + - patterns: + - pattern-inside: | + $WRITER = csv.writer(...) + + ... + + $WRITER.$WRITE(...) + - pattern: $WRITER.$WRITE(...) + - metavariable-regex: + metavariable: $WRITE + regex: ^(writerow|writerows|writeheader)$ + pattern-sources: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + severity: ERROR - id: nan-injection message: Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, @@ -40,3 +183,671 @@ rules: impact: MEDIUM likelihood: MEDIUM confidence: MEDIUM +- id: os-system-injection + languages: + - python + severity: ERROR + message: >- + User data detected in os.system. This could be vulnerable to a command injection and should be avoided. + If this + must be done, use the 'subprocess' module instead and pass the arguments as a list. + metadata: + cwe: + - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://owasp.org/www-community/attacks/Command_Injection + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + pattern-either: + - patterns: + - pattern: os.system(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + os.system(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + os.system(..., <... $INTERM ...>, ...) + - pattern: os.system(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: os.system(..., <... flask.request.$W[...] ...>, ...) + - pattern: os.system(..., <... flask.request.$W(...) ...>, ...) + - pattern: os.system(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + os.system(<... $INTERM ...>) + - pattern: os.system(...) +- id: path-traversal-open + languages: + - python + severity: ERROR + message: >- + Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise + it could result + in path traversal attacks. + metadata: + cwe: + - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + owasp: + - A05:2017 - Broken Access Control + - A01:2021 - Broken Access Control + references: + - https://owasp.org/www-community/attacks/Path_Traversal + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - audit + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + pattern-either: + - patterns: + - pattern: open(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + open(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + with open(..., <... $ROUTEVAR ...>, ...) as $FD: + ... + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + open(..., <... $INTERM ...>, ...) + - pattern: open(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: open(..., <... flask.request.$W[...] ...>, ...) + - pattern: open(..., <... flask.request.$W(...) ...>, ...) + - pattern: open(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + open(<... $INTERM ...>, ...) + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + with open(<... $INTERM ...>, ...) as $F: + ... + - pattern: open(...) +- id: raw-html-format + languages: + - python + severity: WARNING + message: >- + Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing + secure methods + of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, + which could + let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered + safely. Otherwise, use + templates (`flask.render_template`) which will safely render HTML instead. + metadata: + cwe: + - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + owasp: + - A07:2017 - Cross-Site Scripting (XSS) + - A03:2021 - Injection + category: security + technology: + - flask + references: + - https://flask.palletsprojects.com/en/2.0.x/security/#cross-site-scripting-xss + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + mode: taint + pattern-sanitizers: + - pattern: jinja2.escape(...) + - pattern: flask.escape(...) + - patterns: + - pattern: flask.render_template($TPL, ...) + - metavariable-regex: + metavariable: $TPL + regex: .*\.html + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern-either: + - pattern: '"$HTMLSTR" % ...' + - pattern: '"$HTMLSTR".format(...)' + - pattern: '"$HTMLSTR" + ...' + - pattern: f"$HTMLSTR{...}..." + - patterns: + - pattern-inside: | + $HTML = "$HTMLSTR" + ... + - pattern-either: + - pattern: $HTML % ... + - pattern: $HTML.format(...) + - pattern: $HTML + ... + - metavariable-pattern: + metavariable: $HTMLSTR + language: generic + pattern: <$TAG ... +- id: ssrf-requests + languages: + - python + severity: ERROR + message: Data from request object is passed to a new server-side request. This could lead to a server-side + request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, + do not forward the response to the user, and ensure proper authentication and transport-layer security + in the proxied request. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://owasp.org/www-community/attacks/Server_Side_Request_Forgery + category: security + technology: + - flask + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + pattern-either: + - patterns: + # Written this way so that Semgrep only matches the requests call, + # not the whole function def + - pattern: requests.$FUNC(...) + - pattern-either: + - pattern-inside: | + @$APP.$ROUTE_METHOD($ROUTE, ...) + def $ROUTE_FUNC(..., $ROUTEVAR, ...): + ... + requests.$FUNC(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.$ROUTE_METHOD($ROUTE, ...) + def $ROUTE_FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + requests.$FUNC(..., <... $INTERM ...>, ...) + - metavariable-regex: + metavariable: $ROUTE_METHOD + regex: ^(route|get|post|put|delete|patch)$ + - pattern: requests.$FUNC(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W[...] ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W(...) ...>, ...) + - pattern: requests.$FUNC(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + requests.$FUNC(<... $INTERM ...>, ...) + - pattern: requests.$FUNC(...) +- id: subprocess-injection + languages: [python] + mode: taint + options: + symbolic_propagation: true + pattern-sources: + - pattern-either: + - patterns: + - pattern-either: + - pattern: flask.request.form.get(...) + - pattern: flask.request.form[...] + - pattern: flask.request.args.get(...) + - pattern: flask.request.args[...] + - pattern: flask.request.values.get(...) + - pattern: flask.request.values[...] + - pattern: flask.request.cookies.get(...) + - pattern: flask.request.cookies[...] + - pattern: flask.request.stream + - pattern: flask.request.headers.get(...) + - pattern: flask.request.headers[...] + - pattern: flask.request.data + - pattern: flask.request.full_path + - pattern: flask.request.url + - pattern: flask.request.json + - pattern: flask.request.get_json() + - pattern: flask.request.view_args.get(...) + - pattern: flask.request.view_args[...] + - patterns: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - focus-metavariable: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: subprocess.$FUNC(...) + - pattern-not: subprocess.$FUNC("...", ...) + - pattern-not: subprocess.$FUNC(["...", ...], ...) + - pattern-not-inside: | + $CMD = ["...", ...] + ... + subprocess.$FUNC($CMD, ...) + - patterns: + - pattern: subprocess.$FUNC(["$SHELL", "-c", ...], ...) + - metavariable-regex: + metavariable: $SHELL + regex: ^(sh|bash|ksh|csh|tcsh|zsh)$ + - patterns: + - pattern: subprocess.$FUNC(["$INTERPRETER", ...], ...) + - metavariable-regex: + metavariable: $INTERPRETER + regex: ^(python|python\d)$ + pattern-sanitizers: + - patterns: + - pattern: $DICT[$KEY] + - focus-metavariable: $KEY + severity: ERROR + message: >- + Detected user input entering a `subprocess` call unsafely. This could + result in a command injection vulnerability. An attacker could use this + vulnerability to execute arbitrary commands on the host, which allows + them to download malware, scan sensitive data, or run any command they + wish on the server. Do not let users choose the command to run. In general, + prefer to use Python API versions of system commands. If you must use subprocess, + use a dictionary to allowlist a set of commands. + metadata: + category: security + technology: + - flask + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + cwe: + - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" + references: + - https://semgrep.dev/docs/cheat-sheets/python-command-injection/ + confidence: HIGH + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: HIGH + impact: MEDIUM +- id: tainted-sql-string + message: >- + Detected user input used to manually construct a SQL string. This is usually + bad practice because manual construction could accidentally result in a SQL + injection. An attacker could use a SQL injection to steal or modify contents + of the database. Instead, use a parameterized query which is available + by default in most database engines. Alternatively, consider using an + object-relational mapper (ORM) such as SQLAlchemy which will protect your queries. + metadata: + cwe: + - 'CWE-704: Incorrect Type Conversion or Cast' + owasp: + - A01:2017 - Injection + - A03:2021 - Injection + references: + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql + - https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm + - https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column + category: security + technology: + - sqlalchemy + - flask + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + severity: ERROR + languages: + - python + mode: taint + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + pattern-sinks: + - patterns: + - pattern-either: + - pattern: | + "$SQLSTR" + ... + - pattern: | + "$SQLSTR" % ... + - pattern: | + "$SQLSTR".format(...) + - pattern: | + f"$SQLSTR{...}..." + - metavariable-regex: + metavariable: $SQLSTR + regex: \s*(?i)(select|delete|insert|create|update|alter|drop)\b.* +- id: tainted-url-host + languages: + - python + message: >- + User data flows into the host portion of this manually-constructed URL. + This could allow an attacker to send data to their own server, potentially + exposing sensitive data such as cookies or authorization information sent + with this request. They could also probe internal servers or other + resources that the server running this code can access. (This is called + server-side request forgery, or SSRF.) Do not allow arbitrary hosts. + Instead, create an allowlist for approved hosts, or hardcode the correct host. + metadata: + cwe: + - 'CWE-918: Server-Side Request Forgery (SSRF)' + owasp: + - A10:2021 - Server-Side Request Forgery (SSRF) + references: + - https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html + category: security + technology: + - flask + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + impact: MEDIUM + likelihood: MEDIUM + confidence: MEDIUM + mode: taint + pattern-sinks: + - patterns: + - pattern-either: + - patterns: + - pattern: '"$URLSTR" % ...' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + patterns: + - pattern-either: + - pattern: $SCHEME://%s + - pattern: $SCHEME://%r + - patterns: + - pattern: '"$URLSTR".format(...)' + - metavariable-pattern: + metavariable: $URLSTR + language: generic + pattern: $SCHEME:// { ... } + - patterns: + - pattern: '"$URLSTR" + ...' + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern: f"$URLSTR{...}..." + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + - patterns: + - pattern-inside: | + $URL = "$URLSTR" + ... + - pattern: $URL += ... + - metavariable-regex: + metavariable: $URLSTR + regex: .*://$ + pattern-sources: + - patterns: + - pattern-either: + - pattern: flask.request.$ANYTHING + - patterns: + - pattern-inside: | + @$APP.route(...) + def $FUNC(..., $ROUTEVAR, ...): + ... + - pattern: $ROUTEVAR + severity: WARNING +- id: eval-injection + languages: + - python + severity: ERROR + message: Detected user data flowing into eval. This is code injection and should be avoided. + metadata: + cwe: + - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html + category: security + technology: + - flask + subcategory: + - vuln + likelihood: MEDIUM + impact: MEDIUM + confidence: MEDIUM + pattern-either: + - patterns: + - pattern: eval(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + eval(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: eval(..., <... flask.request.$W[...] ...>, ...) + - pattern: eval(..., <... flask.request.$W(...) ...>, ...) + - pattern: eval(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + eval(..., <... $INTERM ...>, ...) + - pattern: eval(...) +- id: exec-injection + languages: + - python + severity: ERROR + message: Detected user data flowing into exec. This is code injection and should be avoided. + metadata: + cwe: + - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')" + owasp: + - A03:2021 - Injection + references: + - https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html + category: security + technology: + - flask + subcategory: + - vuln + likelihood: MEDIUM + impact: HIGH + confidence: MEDIUM + pattern-either: + - patterns: + - pattern: exec(...) + - pattern-either: + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + exec(..., <... $ROUTEVAR ...>, ...) + - pattern-inside: | + @$APP.route($ROUTE, ...) + def $FUNC(..., $ROUTEVAR, ...): + ... + $INTERM = <... $ROUTEVAR ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(..., <... flask.request.$W.get(...) ...>, ...) + - pattern: exec(..., <... flask.request.$W[...] ...>, ...) + - pattern: exec(..., <... flask.request.$W(...) ...>, ...) + - pattern: exec(..., <... flask.request.$W ...>, ...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W.get(...) ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W[...] ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W(...) ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + - patterns: + - pattern-inside: | + $INTERM = <... flask.request.$W ...> + ... + exec(..., <... $INTERM ...>, ...) + - pattern: exec(...) + + + + diff --git a/templates/petshoppinglist.html b/templates/petshoppinglist.html index ee7ea45..5d84002 100644 --- a/templates/petshoppinglist.html +++ b/templates/petshoppinglist.html @@ -38,18 +38,18 @@

WoW shopping list, find the cheapest price

- +
This list shows all itemIDs or petIDs you can pick from . - ex: 3390. + ex: 223144.
- -
maxPurchasePrice. Pick the most amount of gold you want to spend. ex: 3000
+ +
maxPurchasePrice. Pick the most amount of gold you want to spend. ex: 1000000
From 791cad96b3cd90c355ab6684ca43ed74a1b30681 Mon Sep 17 00:00:00 2001 From: alex Date: Fri, 11 Oct 2024 15:48:41 -0400 Subject: [PATCH 2/2] trigger with linter --- .github/workflows/linters.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/linters.yaml b/.github/workflows/linters.yaml index 13c372c..04f5bf0 100644 --- a/.github/workflows/linters.yaml +++ b/.github/workflows/linters.yaml @@ -4,11 +4,7 @@ name: Linters on: workflow_dispatch: pull_request: - branches: - - main push: - branches: - - main jobs: # TODO: Fix Bandit Vulns