Comments (4)
KevinHock
commented on May 16, 2024
Do you have an example?
from pyt.
Thalmann
commented on May 16, 2024
When using flask pagination for instance on this project:
https://github.com/luoluohang/flask_blog/blob/master/app/api_1_0/posts.py
Running pyt on that project yields amongst others this potential vulnerability:
luoluohang/flask_blog
https://github.com/luoluohang/flask_blog
Entry file: flask_blog/app/init.py
Scanned: 2017-04-23 10:16:50.999286
Vulnerability 1:
File: flask_blog/app/api_1_0/posts.py
User input at line 11, trigger word "get(":
page = request.args.get('page', 1,type=int)
Reassigned in:
File: flask_blog/app/api_1_0/posts.py
> Line 12: pagination = Post.query.paginate(page,per_page=current_app.config['FLASKY_POSTS_PER_PAGE'], error_out=False)
File: flask_blog/app/api_1_0/posts.py
> Line 14: posts = pagination.items
File: flask_blog/app/api_1_0/posts.py
> Line 15: prev = None
File: flask_blog/app/api_1_0/posts.py
> Line 18: next = None
File: flask_blog/app/api_1_0/posts.py
reaches line 17, trigger word "url_for(":
prev = url_for('api.get_posts',page=page - 1, _external=True)
Let me know if this makes sense :)
from pyt.
KevinHock
commented on May 16, 2024
So I'm pretty sure this should be solved with the blackbox mapping
(venv) Kevins-MacBook-Pro:pyt kevin$ python -m pyt -f foo.py -i
/usr/local/Cellar/python3/3.6.1/Frameworks/Python.framework/Versions/3.6/lib/python3.6/runpy.py:125: RuntimeWarning: 'pyt.__main__' found in sys.modules after import of package 'pyt', but prior to execution of 'pyt.__main__'; this may result in unpredictable behaviour
warn(RuntimeWarning(msg))
Is the return value of ~call_2 = ret_Post.query.paginate(page, per_page=current_app.config['FLASKY_POSTS_PER_PAGE'], error_out=False) with tainted argument "page" vulnerable? (Y/n)n
2 vulnerabilities found:
Vulnerability 1:
File: foo.py
> User input at line 3, trigger word "request.args.get(":
~call_1 = ret_request.args.get('page', 1, type=int)
Reassigned in:
File: foo.py
> Line 3: page = ~call_1
File: foo.py
> reaches line 9, trigger word "url_for(":
~call_3 = ret_url_for('api.get_posts', page=page - 1, _external=True)
Vulnerability 2:
File: foo.py
> User input at line 3, trigger word "request.args.get(":
~call_1 = ret_request.args.get('page', 1, type=int)
Reassigned in:
File: foo.py
> Line 3: page = ~call_1
File: foo.py
> reaches line 12, trigger word "url_for(":
~call_4 = ret_url_for('api.get_posts', page=page + 1, _external=True)
(venv) Kevins-MacBook-Pro:pyt kevin$ git status
On branch check_travis
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git checkout -- <file>..." to discard changes in working directory)
modified: foo.py
modified: pyt/vulnerability_definitions/blackbox_mapping.json
no changes added to commit (use "git add" and/or "git commit -a")
(venv) Kevins-MacBook-Pro:pyt kevin$ git diff pyt/vulnerability_definitions/blackbox_mapping.json
diff --git a/pyt/vulnerability_definitions/blackbox_mapping.json b/pyt/vulnerability_definitions/blackbox_mapping.json
index fbb229e..124e0d4 100644
--- a/pyt/vulnerability_definitions/blackbox_mapping.json
+++ b/pyt/vulnerability_definitions/blackbox_mapping.json
@@ -1,7 +1,8 @@
{
"does_not_propagate": [
"fast_eddie",
- "url_for"
+ "url_for",
+ "Post.query.paginate"
],
"propagates": [
"os.path.join",
(venv) Kevins-MacBook-Pro:pyt kevin$ from pyt.
KevinHock
commented on May 16, 2024
As an aside: Why is url_for a sink? Maybe I don't know that much about Flask
from pyt.
Related Issues (20)
- Use function summaries instead of inlining
- [Question] Can I install in windows? If can, how to install it? HOT 1
- OSError: Input needs to be a file. Path: <path>/app.py HOT 3
- python3.7 support HOT 1
- AttributeError: 'IgnoredNode' object has no attribute 'first_statement'
- RecursionError: maximum recursion depth exceeded while calling a Python object HOT 3
- Control flow incorrect if imported functions have the same name HOT 2
- Sources and sinks should propagate
- Inappropriate ioctl using Ubuntu and pty HOT 3
- How to put it inside the proxy? HOT 1
- How to handle callbacks HOT 2
- Fails on Python 3.9.0 HOT 7
- o HOT 1
- pyt usually picks the wrong encoding to load files HOT 1
- args is empty in BBorBInode when CFG generated
- RFH: jsonpickle security detection HOT 1
- .
- Teste
- H
- real
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyt.