mirror of
https://github.com/github/codeql.git
synced 2025-12-22 19:56:32 +01:00
Merge branch 'jty/python/emailInjection' of https://github.com/jty-team/codeql into jty/python/emailInjection
This commit is contained in:
jorgectf
@@ -122,7 +122,6 @@ private module Sendgrid {
|
||||
)
|
||||
or
|
||||
exists(KeyValuePair content, Dict generalDict, KeyValuePair typePair, KeyValuePair valuePair |
|
||||
// find L33
|
||||
content.getKey().(Str_).getS() = "content" and
|
||||
content.getValue().(List).getAnElt() = generalDict and
|
||||
// declare KeyValuePairs keys and values
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
# https://data-flair.training/blogs/django-send-email/
|
||||
# Using flask for RFS and django.core.mail as email library
|
||||
|
||||
from flask import request, Flask
|
||||
from django.core.mail import send_mail, mail_admins, mail_managers
|
||||
|
||||
@@ -9,15 +6,18 @@ app = Flask(__name__)
|
||||
@app.route("/send")
|
||||
def send():
|
||||
"""
|
||||
The Django.core.mail#send_mail function source code can be found in the link below:
|
||||
https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L38
|
||||
|
||||
Apparently there's no html_message in send_mass_mail: https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
|
||||
send_mass_mail does not provide html_message as an argument to it's function. See the link below for more info:
|
||||
https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L64
|
||||
"""
|
||||
send_mail("Subject", "plain-text body", "from@example.com", ["to@example.com"], html_message=request.args("html"))
|
||||
|
||||
@app.route("/internal")
|
||||
def internal():
|
||||
"""
|
||||
The Django.core.mail#mail_admins and Django.core.mail#mail_managers functions source code can be found in the link below:
|
||||
https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/mail/__init__.py#L90-L121
|
||||
"""
|
||||
mail_admins("Subject", "plain-text body", html_message=request.args("html"))
|
||||
|
||||
@@ -1,6 +1,3 @@
|
||||
# https://pythonhosted.org/Flask-Mail/
|
||||
# https://github.com/mattupstate/flask-mail/blob/1709c70d839a7cc7b1f7eeb97333b71cd420fe32/flask_mail.py#L239
|
||||
|
||||
from flask import request, Flask
|
||||
from flask_mail import Mail, Message
|
||||
|
||||
@@ -17,6 +14,7 @@ def send():
|
||||
|
||||
# The message can contain a body and/or HTML:
|
||||
msg.body = "plain-text body"
|
||||
# The email's HTML can be set via msg.html or as an initialize argument when creating a Message object.
|
||||
msg.html = request.args["html"]
|
||||
|
||||
mail.send(msg)
|
||||
|
||||
@@ -1,5 +1,3 @@
|
||||
# https://www.twilio.com/blog/how-to-send-emails-in-python-with-sendgrid
|
||||
|
||||
from flask import request, Flask
|
||||
from sendgrid import SendGridAPIClient
|
||||
from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType
|
||||
@@ -24,7 +22,6 @@ def send_post():
|
||||
subject = "Sending with SendGrid is Fun"
|
||||
content = Content("text/html", request.args["html_content"])
|
||||
|
||||
# https://github.com/sendgrid/sendgrid-python/blob/cf0924c35c37bbec8e5ca39e963a55f54f0eec11/sendgrid/helpers/mail/mime_type.py#L1
|
||||
content = Content(MimeType.html, request.args["html_content"])
|
||||
|
||||
mail = Mail(from_email, to_email, subject, content)
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
# This tests that the developer doesn't pass tainted user data into the mail.send.post() method in the SendGrid library.
|
||||
# source :https://github.com/sendgrid/sendgrid-python
|
||||
import sendgrid
|
||||
import os
|
||||
|
||||
@@ -7,135 +6,32 @@ import os
|
||||
sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
|
||||
|
||||
data = {
|
||||
"asm": {
|
||||
"group_id": 1,
|
||||
"groups_to_display": [
|
||||
1,
|
||||
2,
|
||||
3
|
||||
]
|
||||
},
|
||||
"attachments": [
|
||||
{
|
||||
"content": "[BASE64 encoded content block here]",
|
||||
"content_id": "ii_139db99fdb5c3704",
|
||||
"disposition": "inline",
|
||||
"filename": "file1.jpg",
|
||||
"name": "file1",
|
||||
"type": "jpg"
|
||||
}
|
||||
],
|
||||
"batch_id": "[YOUR BATCH ID GOES HERE]",
|
||||
"categories": [
|
||||
"category1",
|
||||
"category2"
|
||||
],
|
||||
"content": [
|
||||
{
|
||||
"type": "text/html",
|
||||
"value": "<html><p>Hello, world!</p><img src=[CID GOES HERE]></img></html>"
|
||||
}
|
||||
],
|
||||
"custom_args": {
|
||||
"New Argument 1": "New Value 1",
|
||||
"activationAttempt": "1",
|
||||
"customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
|
||||
},
|
||||
"from": {
|
||||
"email": "sam.smith@example.com",
|
||||
"name": "Sam Smith"
|
||||
},
|
||||
"headers": {},
|
||||
"ip_pool_name": "[YOUR POOL NAME GOES HERE]",
|
||||
"mail_settings": {
|
||||
"bcc": {
|
||||
"email": "ben.doe@example.com",
|
||||
"enable": True
|
||||
},
|
||||
"bypass_list_management": {
|
||||
"enable": True
|
||||
},
|
||||
"footer": {
|
||||
"enable": True,
|
||||
"html": "<p>Thanks</br>The SendGrid Team</p>",
|
||||
"text": "Thanks,/n The SendGrid Team"
|
||||
},
|
||||
"sandbox_mode": {
|
||||
"enable": False
|
||||
},
|
||||
"spam_check": {
|
||||
"enable": True,
|
||||
"post_to_url": "http://example.com/compliance",
|
||||
"threshold": 3
|
||||
}
|
||||
},
|
||||
"personalizations": [
|
||||
{
|
||||
"bcc": [
|
||||
{
|
||||
"email": "sam.doe@example.com",
|
||||
"name": "Sam Doe"
|
||||
}
|
||||
],
|
||||
"cc": [
|
||||
{
|
||||
"email": "jane.doe@example.com",
|
||||
"name": "Jane Doe"
|
||||
}
|
||||
],
|
||||
"custom_args": {
|
||||
"New Argument 1": "New Value 1",
|
||||
"activationAttempt": "1",
|
||||
"customerAccountNumber": "[CUSTOMER ACCOUNT NUMBER GOES HERE]"
|
||||
},
|
||||
"headers": {
|
||||
"X-Accept-Language": "en",
|
||||
"X-Mailer": "MyApp"
|
||||
},
|
||||
"send_at": 1409348513,
|
||||
"subject": "Hello, World!",
|
||||
"substitutions": {
|
||||
"id": "substitutions",
|
||||
"type": "object"
|
||||
},
|
||||
"to": [
|
||||
{
|
||||
"email": "john.doe@example.com",
|
||||
"name": "John Doe"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"reply_to": {
|
||||
"email": "sam.smith@example.com",
|
||||
"name": "Sam Smith"
|
||||
},
|
||||
"sections": {
|
||||
"section": {
|
||||
":sectionName1": "section 1 text",
|
||||
":sectionName2": "section 2 text"
|
||||
}
|
||||
},
|
||||
"send_at": 1409348513,
|
||||
"subject": "Hello, World!",
|
||||
"template_id": "[YOUR TEMPLATE ID GOES HERE]",
|
||||
"tracking_settings": {
|
||||
"click_tracking": {
|
||||
"enable": True,
|
||||
"enable_text": True
|
||||
},
|
||||
"ganalytics": {
|
||||
"enable": True,
|
||||
"utm_campaign": "[NAME OF YOUR REFERRER SOURCE]",
|
||||
"utm_content": "[USE THIS SPACE TO DIFFERENTIATE YOUR EMAIL FROM ADS]",
|
||||
"utm_medium": "[NAME OF YOUR MARKETING MEDIUM e.g. email]",
|
||||
"utm_name": "[NAME OF YOUR CAMPAIGN]",
|
||||
"utm_term": "[IDENTIFY PAID KEYWORDS HERE]"
|
||||
},
|
||||
"open_tracking": {
|
||||
"enable": True,
|
||||
"substitution_tag": "%opentrack"
|
||||
},
|
||||
"subscription_tracking": {
|
||||
"enable": True,
|
||||
"html": "If you would like to unsubscribe and stop receiving these emails <% clickhere %>.",
|
||||
|
||||
@@ -1,6 +1,4 @@
|
||||
# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart initializer via the subparts parameter.
|
||||
|
||||
# source꞉ https꞉//www.programcreek.com/python/example/53141/email.MIMEMultipart.MIMEMultipart
|
||||
from flask import Flask, request
|
||||
import json
|
||||
import smtplib, ssl
|
||||
@@ -11,9 +9,8 @@ app = Flask(__name__)
|
||||
|
||||
@app.route("/")
|
||||
def email_person():
|
||||
sender_email = "my@gmail.com"
|
||||
receiver_email = "your@gmail.com"
|
||||
password = input("Type your password and press enter:")
|
||||
sender_email = "sender@gmail.com"
|
||||
receiver_email = "receiver@example.com"
|
||||
|
||||
name = request.args['search']
|
||||
# Create the plain-text and HTML version of your message
|
||||
@@ -33,7 +30,7 @@ def email_person():
|
||||
context = ssl.create_default_context()
|
||||
server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context);
|
||||
|
||||
server.login(sender_email, password)
|
||||
server.login(sender_email, "SERVER_PASSWORD")
|
||||
server.sendmail(
|
||||
sender_email, receiver_email, message.as_string()
|
||||
)
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
# This test checks that the developer doesn't pass a MIMEText instance to a MIMEMultipart message.
|
||||
# source꞉ https꞉//realpython.com/python-send-email/
|
||||
from flask import Flask, request
|
||||
import json
|
||||
import smtplib, ssl
|
||||
@@ -10,9 +9,8 @@ app = Flask(__name__)
|
||||
|
||||
@app.route("/")
|
||||
def email_person():
|
||||
sender_email = "my@gmail.com"
|
||||
receiver_email = "your@gmail.com"
|
||||
password = input("Type your password and press enter:")
|
||||
sender_email = "sender@gmail.com"
|
||||
receiver_email = "receiver@example.com"
|
||||
|
||||
message = MIMEMultipart("alternative")
|
||||
message["Subject"] = "multipart test"
|
||||
@@ -22,7 +20,7 @@ def email_person():
|
||||
name = request.args['name']
|
||||
# Create the plain-text and HTML version of your message
|
||||
text = "hello there"
|
||||
html = f"hello {name}" # here is the exploit. passing vulnerable data into the html portion of the email
|
||||
html = f"hello {name}"
|
||||
|
||||
# Turn these into plain/html MIMEText objects
|
||||
part1 = MIMEText(text, "plain")
|
||||
@@ -37,7 +35,7 @@ def email_person():
|
||||
context = ssl.create_default_context()
|
||||
server = smtplib.SMTP_SSL("smtp.gmail.com", 465, context=context)
|
||||
|
||||
server.login(sender_email, password)
|
||||
server.login(sender_email, "SERVER_PASSWORD")
|
||||
server.sendmail(
|
||||
sender_email, receiver_email, message.as_string()
|
||||
)
|
||||
|
||||
Reference in New Issue
Block a user