Python: Move ExternalAPI queries back under Security

This was raised as a question at review, and I don't really have a good enough argument for moving it under POI. At the end of the day, they are _security_ related enough I guess :)
2026-05-02 04:05:14 +02:00 · 2021-02-17 11:29:33 +01:00
parent dec026a820
commit cf9ad0cdc5
14 changed files with 2 additions and 2 deletions
--- a/python/ql/test/query-tests/Security/ExternalAPIs/test.py
+++ b/python/ql/test/query-tests/Security/ExternalAPIs/test.py
@@ -0,0 +1,37 @@
+import hashlib
+import hmac
+import base64
+
+from flask import Flask, request, make_response
+app = Flask(__name__)
+
+SECRET_KEY = b"SECRET_KEY"
+
+
+@app.route("/hmac-example")
+def hmac_example():
+    data_raw = request.args.get("data").encode('utf-8')
+    data = base64.decodebytes(data_raw)
+    my_hmac = hmac.new(SECRET_KEY, data, hashlib.sha256)
+    digest = my_hmac.digest()
+    print(digest)
+    return "ok"
+
+
+@app.route("/unknown-lib-1")
+def unknown_lib_1():
+    from unknown.lib import func
+    data = request.args.get("data")
+    func(data) # TODO: currently not recognized
+
+
+@app.route("/unknown-lib-2")
+def unknown_lib_2():
+    import unknown.lib
+    data = request.args.get("data")
+    unknown.lib.func(data) # TODO: currently not recognized
+
+
+if __name__ == "__main__":
+    # http://127.0.0.1:5000/hmac-example?data=aGVsbG8gd29ybGQh
+    app.run(debug=True)