mirror of
https://github.com/github/codeql.git
synced 2025-12-19 18:33:16 +01:00
cf57afd102
The example code is just copied from command injection tests, that is not too important. The important part is that `jumpStep` says there is flow from the import of `os` to `app.route()` :O
12 lines
227 B
Python
12 lines
227 B
Python
|
|
import os
|
|
|
|
from flask import Flask, request
|
|
app = Flask(__name__)
|
|
|
|
@app.route("/command1")
|
|
def command_injection1():
|
|
files = request.args.get('files', '')
|
|
# Don't let files be `; rm -rf /`
|
|
os.system("ls " + files)
|