Add HtmlContent additional taint step

2026-05-02 12:15:17 +02:00 · 2021-11-08 10:23:50 +01:00
parent 356b07112a
commit d316974157
2 changed files with 44 additions and 16 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_mail.py
@@ -1,30 +1,44 @@
 from flask import request, Flask
 from sendgrid import SendGridAPIClient
-from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType
+from sendgrid.helpers.mail import Mail, Email, To, Content, MimeType, HtmlContent

 app = Flask(__name__)

+
@app.route("/send")
 def send():
-  message = Mail(
-      from_email='from_email@example.com',
-      to_emails='to@example.com',
-      subject='Sending with Twilio SendGrid is Fun',
-      html_content=request.args["html_content"])
+    message = Mail(
+        from_email='from_email@example.com',
+        to_emails='to@example.com',
+        subject='Sending with Twilio SendGrid is Fun',
+        html_content=request.args["html_content"])
+
+    sg = SendGridAPIClient('SENDGRID_API_KEY')
+    sg.send(message)
+
+
+@app.route("/send-HtmlContent")
+def send():
+    message = Mail(
+        from_email='from_email@example.com',
+        to_emails='to@example.com',
+        subject='Sending with Twilio SendGrid is Fun',
+        html_content=HtmlContent(request.args["html_content"]))
+
+    sg = SendGridAPIClient('SENDGRID_API_KEY')
+    sg.send(message)

-  sg = SendGridAPIClient('SENDGRID_API_KEY')
-  sg.send(message)

@app.route("/send_post")
 def send_post():
-  from_email = Email("test@example.com")
-  to_email = To("test@example.com")
-  subject = "Sending with SendGrid is Fun"
-  content = Content("text/html", request.args["html_content"]) 
+    from_email = Email("test@example.com")
+    to_email = To("test@example.com")
+    subject = "Sending with SendGrid is Fun"
+    content = Content("text/html", request.args["html_content"])

-  content = Content(MimeType.html, request.args["html_content"]) 
+    content = Content(MimeType.html, request.args["html_content"])

-  mail = Mail(from_email, to_email, subject, content)
+    mail = Mail(from_email, to_email, subject, content)

-  sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
-  response = sg.client.mail.send.post(request_body=mail.get())
+    sg = SendGridAPIClient(api_key='SENDGRID_API_KEY')
+    response = sg.client.mail.send.post(request_body=mail.get())