hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 18:33:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
a91cf6b7cba78087cc011eea9cd15555c07a0c29
codeql/python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py
REDMOND\brodes a91cf6b7cb Applying copilot PR suggestions.
2026-02-10 11:37:11 -05:00

51 lines
2.0 KiB
Python
Raw Blame History

from flask import request # $ Source[py/full-ssrf]
from AntiSSRF import AntiSSRFPolicy
import requests
def ssrf_test1():
user_input = request.args['untrusted_input']
# NOT OK -- user has full control
requests.get(user_input) # $ Alert[py/full-ssrf]
# since `requests`` always uses complete URLs, it's not interesting to test more of
# the framework directly. See `full_partial_test.py` for different ways to do SSRF.
def ssrf_test2():
user_input = request.args['untrusted_input']
# NOT OK -- user has full control
session = requests.Session()
session.get(user_input) # $ Alert[py/full-ssrf]
def ssrf_test3():
user_input = request.args['untrusted_input']
# NOT OK -- user has full control
response = requests.request('<method>', user_input) # $ Alert[py/full-ssrf]
def ssrf_test_with_policy1():
user_input = request.args['untrusted_input']
policy = AntiSSRFPolicy()
session = policy.get_antissrf_session()
# OK -- dangerous user input is filtered by AntiSSRFPolicy
response = session.get(user_input)
def ssrf_test_with_policy2():
user_input = request.args['untrusted_input']
policy = AntiSSRFPolicy()
session = policy.get_antissrf_session()
# overwriting the HTTPAdapter to default requests adapter
# this makes the session unsafe again
session.mount("http://", requests.adapters.HTTPAdapter())
# NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy
# TODO: not currently a scenario we detect.
session.get(user_input) # $ MISSING: Alert[py/full-ssrf]
def ssrf_test_with_policy3(adapter):
user_input = request.args['untrusted_input']
policy = AntiSSRFPolicy()
session = policy.get_antissrf_session()
# overwriting the HTTPAdapter to a custom requests adapter
# this could make the session unsafe again
session.mount("http://", adapter)
# NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy
# TODO: not currently a scenario we detect.
session.get(user_input) # $ MISSING: Alert[py/full-ssrf]
Reference in New Issue View Git Blame Copy Permalink