hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
c20ee76826e10318f8f39c6fae901b743c2e8254
codeql/python/ql/test/experimental/query-tests/Security/CWE-611/test.py
Rasmus Wriedt Larsen f72f673e7e Python: Update XmlEntityInjection.expected 
I had forgotten about this, but better late than never... also added a
small representative test
2022-03-03 21:18:18 +01:00

31 lines
899 B
Python
Raw Blame History

from flask import Flask, request
import lxml.etree
app = Flask(__name__)
@app.route("/vuln-handler")
def vuln_handler():
xml_content = request.args['xml_content']
return lxml.etree.fromstring(xml_content).text
@app.route("/safe-handler")
def safe_handler():
xml_content = request.args['xml_content']
parser = lxml.etree.XMLParser(resolve_entities=False)
return lxml.etree.fromstring(xml_content, parser=parser).text
@app.route("/super-vuln-handler")
def super_vuln_handler():
xml_content = request.args['xml_content']
parser = lxml.etree.XMLParser(
# allows XXE
resolve_entities=True,
# allows remote XXE
no_network=False,
# together with `no_network=False`, allows DTD-retrival
load_dtd=True,
# allows DoS attacks
huge_tree=True,
)
return lxml.etree.fromstring(xml_content, parser=parser).text
Reference in New Issue View Git Blame Copy Permalink