mirror of
https://github.com/github/codeql.git
synced 2025-12-20 02:44:30 +01:00
18 lines
349 B
Python
18 lines
349 B
Python
import pathlib
|
|
|
|
from flask import Flask, request
|
|
app = Flask(__name__)
|
|
|
|
|
|
STATIC_DIR = pathlib.Path("/server/static/")
|
|
|
|
|
|
@app.route("/pathlib_use")
|
|
def path_injection():
|
|
filename = request.args.get('filename', '')
|
|
p = STATIC_DIR / filename
|
|
p.open() # $ result=BAD
|
|
|
|
p2 = pathlib.Path(STATIC_DIR, filename)
|
|
p2.open() # $ result=BAD
|