-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathDemo2.py
More file actions
103 lines (86 loc) · 2.94 KB
/
Demo2.py
File metadata and controls
103 lines (86 loc) · 2.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
import flask
import json
app = flask.Flask(__name__)
@app.route("/route_param/<route_param>")
def route_param(route_param):
print("blah")
# ruleid: path-traversal-open
return open(route_param, 'r').read()
@app.route("/route_param_ok/<route_param>")
def route_param_ok(route_param):
print("blah")
# ok: path-traversal-open
return open("this is safe", 'r').read()
@app.route("/route_param_with/<route_param>")
def route_param_with(route_param):
print("blah")
# ruleid: path-traversal-open
with open(route_param, 'r') as fout:
return fout.read()
@app.route("/route_param_with_ok/<route_param>")
def route_param_with_ok(route_param):
print("blah")
# ok: path-traversal-open
with open("this is safe", 'r') as fout:
return fout.read()
@app.route("/route_param_with_concat/<route_param>")
def route_param_with_concat(route_param):
print("blah")
# ruleid: path-traversal-open
with open(route_param + ".csv", 'r') as fout:
return fout.read()
@app.route("/get_param", methods=["GET"])
def get_param():
param = flask.request.args.get("param")
# ruleid: path-traversal-open
f = open(param, 'w')
f.write("hello world")
@app.route("/get_param_inline_concat", methods=["GET"])
def get_param_inline_concat():
# ruleid: path-traversal-open
return open("echo " + flask.request.args.get("param"), 'r').read()
@app.route("/get_param_concat", methods=["GET"])
def get_param_concat():
param = flask.request.args.get("param")
# ruleid: path-traversal-open
return open(param + ".csv", 'r').read()
@app.route("/get_param_format", methods=["GET"])
def get_param_format():
param = flask.request.args.get("param")
# ruleid: path-traversal-open
return open("{}.csv".format(param)).read()
@app.route("/get_param_percent_format", methods=["GET"])
def get_param_percent_format():
param = flask.request.args.get("param")
# ruleid: path-traversal-open
return open("echo %s" % (param,), 'r').read()
@app.route("/post_param", methods=["POST"])
def post_param():
param = flask.request.form['param']
if True:
# ruleid: path-traversal-open
with open(param, 'r') as fin:
data = json.load(fin)
return data
@app.route("/post_param", methods=["POST"])
def post_param_with_inline():
# ruleid: path-traversal-open
with open(flask.request.form['param'], 'r') as fin:
data = json.load(fin)
return data
@app.route("/post_param", methods=["POST"])
def post_param_with_inline_concat():
# ruleid: path-traversal-open
with open(flask.request.form['param'] + '.csv', 'r') as fin:
data = json.load(fin)
return data
@app.route("/subexpression", methods=["POST"])
def subexpression():
param = "{}".format(flask.request.form['param'])
print("do things")
# ruleid: path-traversal-open
return open(param, 'r').read()
@app.route("/ok")
def ok():
# ok: path-traversal-open
open("static/path.txt", 'r')