mirror of
https://github.com/github/codeql.git
synced 2026-04-30 19:26:02 +02:00
1ceb963d4c
This PR adds support for detecting XSLT injection in Python. I have included the ql files as well as the tests with this.
15 lines
335 B
Python
15 lines
335 B
Python
from lxml import etree
|
|
from io import StringIO
|
|
from flask import Flask, request
|
|
|
|
app = Flask(__name__)
|
|
|
|
|
|
@app.route("/xslt")
|
|
def bad():
|
|
xsltQuery = request.args.get('xml', '')
|
|
xslt_root = etree.XML(xsltQuery)
|
|
f = StringIO('<foo><bar></bar></foo>')
|
|
tree = etree.parse(f)
|
|
result_tree = tree.xslt(xslt_root) # Not OK
|