hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
codeql-cli-2.21.1
codeql/python/ql/test/query-tests/Security/CWE-502-UnsafeDeserialization/unsafe_deserialization.py

24 lines
471 B
Python
Raw Permalink Blame History

import flask
import pickle
import yaml
import marshal
from yaml import SafeLoader
from flask import Flask, request
app = Flask(__name__)
@app.route("/")
def hello():
payload = request.args.get("payload")
pickle.loads(payload) # NOT OK
yaml.load(payload) # NOT OK
yaml.load(payload, Loader=SafeLoader) # OK
marshal.loads(payload) # NOT OK
import dill
dill.loads(payload) # NOT OK
import pandas
pandas.read_pickle(payload) # NOT OK
Reference in New Issue View Git Blame Copy Permalink