hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cs/assembly-prefix
codeql/python/ql/test/library-tests/web/django/test.py
Mark Shannon 90bbfd3b16 Python: Add library tests for django.
2019-04-26 16:21:46 +01:00

41 lines
1.3 KiB
Python
Raw Permalink Blame History

from django.conf.urls import patterns, url
from django.db import connection, models
from django.db.models.expressions import RawSQL
from django.http.response import HttpResponse
import base64
class Name(models.Model):
pass
def save_name(request):
if request.method == 'POST':
name = request.POST.get('name')
curs = connection.cursor()
#GOOD -- Using parameters
curs.execute(
"insert into names_file ('name') values ('%s')", name)
#BAD -- Using string formatting
curs.execute(
"insert into names_file ('name') values ('%s')" % name)
#BAD -- other ways of executing raw SQL code with string interpolation
Name.objects.annotate(RawSQL("insert into names_file ('name') values ('%s')" % name))
Name.objects.raw("insert into names_file ('name') values ('%s')" % name)
Name.objects.extra("insert into names_file ('name') values ('%s')" % name)
urlpatterns1 = patterns(url(r'^save_name/$',
save_name, name='save_name'))
def maybe_xss(request):
first_name = request.POST.get('first_name', '')
resp = HttpResponse()
resp.write("first name is " + first_name)
return resp
urlpatterns2 = [
# Route to code_execution
url(r'^maybe_xss$', maybe_xss, name='maybe_xss')
]
Reference in New Issue View Git Blame Copy Permalink