Python : Add Flask sinks for path injection query

2026-05-03 12:45:27 +02:00 · 2021-07-20 02:03:48 +05:30
parent 0d161bec7a
commit 4fd3f212f8
2 changed files with 42 additions and 1 deletions
--- a/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
+++ b/python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py
@@ -1,6 +1,17 @@
-from flask import Flask, request
+from flask import Flask, request, send_from_directory, send_file
 app = Flask(__name__)

@app.route("/save-uploaded-file")  # $routeSetup="/save-uploaded-file"
 def test_taint():  # $requestHandler
    request.files['key'].save("path") # $ getAPathArgument="path"
+
+
+@app.route("/path-injection")  # $routeSetup="/path-injection"
+def test_path():  # $requestHandler
+
+    flask.send_from_directory("filepath","file")  # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file("file")  # $ getAPathArgument="file"
+    
+    flask.send_from_directory(directory="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_from_directory(filename="filepath","file") # $ getAPathArgument="filepath" getAPathArgument="file"
+    flask.send_file(filename_or_fp="file")  # $ getAPathArgument="file"