Add RFS to sendgrid test

2025-12-22 11:46:32 +01:00 · 2021-11-08 10:33:57 +01:00
parent d316974157
commit f4a73fcc59
1 changed files with 39 additions and 35 deletions
--- a/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py
+++ b/python/ql/test/experimental/query-tests/Security/CWE-079/sendgrid_via_mail_send_post_request_body_bad.py
@@ -1,44 +1,48 @@
-# This tests that the developer doesn't pass tainted user data into the mail.send.post() method in the SendGrid library.
 import sendgrid
 import os
+from flask import request, Flask
+
+app = Flask(__name__)


-sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))
+@app.route("/sendgrid")
+def send():
+    sg = sendgrid.SendGridAPIClient(os.environ.get('SENDGRID_API_KEY'))

-data = {
-    "content": [
-        {
-            "type": "text/html",
-            "value": "<html><p>Hello, world!</p><img src=[CID GOES HERE]></img></html>"
-        }
-    ],
-    "from": {
-        "email": "sam.smith@example.com",
-        "name": "Sam Smith"
-    },
-    "headers": {},
-    "mail_settings": {
-        "footer": {
-            "enable": True,
-            "html": "<p>Thanks</br>The SendGrid Team</p>",
-            "text": "Thanks,/n The SendGrid Team"
+    data = {
+        "content": [
+            {
+                "type": "text/html",
+                "value": "<html>{}</html>".format(request.args["html_content"])
+            }
+        ],
+        "from": {
+            "email": "sam.smith@example.com",
+            "name": "Sam Smith"
        },
-    },
-    "reply_to": {
-        "email": "sam.smith@example.com",
-        "name": "Sam Smith"
-    },
-    "send_at": 1409348513,
-    "subject": "Hello, World!",
-    "template_id": "[YOUR TEMPLATE ID GOES HERE]",
-    "tracking_settings": {
-        "subscription_tracking": {
-            "enable": True,
-            "html": "If you would like to unsubscribe and stop receiving these emails <% clickhere %>.",
-            "substitution_tag": "<%click here%>",
-            "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
+        "headers": {},
+        "mail_settings": {
+            "footer": {
+                "enable": True,
+                "html": "<html>{}</html>".format(request.args["html_footer"]),
+                "text": "Thanks,/n The SendGrid Team"
+            },
+        },
+        "reply_to": {
+            "email": "sam.smith@example.com",
+            "name": "Sam Smith"
+        },
+        "send_at": 1409348513,
+        "subject": "Hello, World!",
+        "template_id": "[YOUR TEMPLATE ID GOES HERE]",
+        "tracking_settings": {
+            "subscription_tracking": {
+                "enable": True,
+                "html": "<html>{}</html>".format(request.args["html_tracking"]),
+                "substitution_tag": "<%click here%>",
+                "text": "If you would like to unsubscribe and stop receiving these emails <% click here %>."
+            }
        }
    }
-}

-response = sg.client.mail.send.post(request_body=data)
+    response = sg.client.mail.send.post(request_body=data)