hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-19 22:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
628f85aebcf23ee9a7a944c8ca8d00aefc00b8eb
codeql/python/ql/test/query-tests/Security/CWE-943-NoSqlInjection/PoC/readme.md
Rasmus Lerchedahl Petersen 114984bd8c Python: Added tests based on security analysis 
currently we do not:
- recognize the pattern
   `{'author': {"$eq": author}}` as protected
- recognize arguements to `$where` (and friends)
   as vulnerable
2023-09-07 10:22:37 +02:00

698 B
Raw Blame History

Tutorials:

I recommend creating a virtual environment with venv and then installing dependencies via

python -m pip --install -r requirements.txt

Start mongodb:

mongod --config /usr/local/etc/mongod.conf --fork

run flask app:

flask --app server run

Navigate to the root to see routes. For each route try to get the system to reveal the person in the database. If you know the name, you can just input it, but in some cases you can get to the person without knowing the name!