-
Notifications
You must be signed in to change notification settings - Fork 0
Add files via upload #6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| import os | ||
| import subprocess | ||
| import requests | ||
| from flask import Flask, request | ||
|
|
||
| app = Flask(__name__) | ||
|
|
||
| # Vulnerability 1: Insecure Use of Subprocess (Command Injection) | ||
| @app.route('/ping', methods=['GET']) | ||
| def ping(): | ||
| ip = request.args.get('ip', '') | ||
| result = subprocess.check_output(['ping', '-c', '4', ip]) | ||
| return result | ||
|
|
||
| # Vulnerability 2: Hardcoded Credentials | ||
| USERNAME = 'admin' | ||
| PASSWORD = 'password123' | ||
|
|
||
| @app.route('/login', methods=['POST']) | ||
| def login(): | ||
| username = request.form['username'] | ||
| password = request.form['password'] | ||
| if username == USERNAME and password == PASSWORD: | ||
| return "Login successful" | ||
| else: | ||
| return "Login failed", 401 | ||
|
|
||
| # Vulnerability 3: Insecure Deserialization | ||
| @app.route('/unserialize', methods=['POST']) | ||
| def unserialize(): | ||
| import pickle | ||
| data = request.data | ||
| obj = pickle.loads(data) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Auto-generated PR comment (Polaris)Polaris SAST Issue - Insecure Object DeserializationHigh CWE-502 How to fixThe application should avoid using object deserialization for data shared outside a trusted system. The following things should be taken into consideration for remediation of this issue:
If using Java, it is recommended to use a run-time "agent" such as notsoserial (https://github.com/kantega/notsoserial) to specify and control which classes that should be allowed to be deserialized. Furthermore, it is strongly recommended to use the latest hardened JDK and ensure all third-party libraries, such as Apache Commons Collections, are updated. |
||
| return str(obj) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Auto-generated PR comment (Polaris)Polaris SAST Issue - Cross-site ScriptingHigh CWE-79 A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. How to fixPotential mitigations include the following:
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.
The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
|
||
|
|
||
| # Vulnerability 4: Use of Outdated Library with Known Vulnerabilities | ||
| @app.route('/requests_example', methods=['GET']) | ||
| def requests_example(): | ||
| response = requests.get('https://example.com') | ||
| return response.content | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Auto-generated PR comment (Polaris)Polaris SAST Issue - Cross-site ScriptingHigh CWE-79 A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. How to fixPotential mitigations include the following:
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.
The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
|
||
|
|
||
| # Vulnerability 5: SQL Injection | ||
| @app.route('/user', methods=['GET']) | ||
| def get_user(): | ||
| user_id = request.args.get('id', '') | ||
| query = "SELECT * FROM users WHERE id = '" + user_id + "'" | ||
| result = run_query(query) # This function is not defined but simulates a database query | ||
| return str(result) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Auto-generated PR comment (Polaris)Polaris SAST Issue - Cross-site ScriptingHigh CWE-79 A user can execute arbitrary JavaScript on a web page viewed or accessed by another user, potentially allowing session hijacking, disclosing sensitive data in the DOM, or viewing of keyboard and mouse events. How to fixPotential mitigations include the following:
Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed.
The problem of inconsistent output encodings often arises in web pages. If an encoding is not specified in an HTTP header, web browsers often guess about which encoding is being used. This can open up the browser to subtle XSS attacks.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. When dynamically constructing web pages, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. All input should be validated and cleansed, not just parameters that the user is supposed to specify, but all data in the request, including hidden fields, cookies, headers, the URL itself, and so forth. A common mistake that leads to continuing XSS vulnerabilities is to validate only fields that are expected to be redisplayed by the site. It is common to see data from the request that is reflected by the application server or the application that the development team did not anticipate. Also, a field that is not currently reflected may be used by a future developer. Therefore, validating ALL parts of the HTTP request is recommended. Note that proper output encoding, escaping, and quoting is the most effective solution for preventing XSS, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent XSS, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, in a chat application, the heart emoticon ("<3") would likely pass the validation step, since it is commonly used. However, it cannot be directly inserted into the web page because it contains the "<" character, which would need to be escaped or otherwise handled. In this case, stripping the "<" might reduce the risk of XSS, but it would produce incorrect behavior because the emoticon would not be recorded. This might seem to be a minor inconvenience, but it would be more important in a mathematical forum that wants to represent inequalities. Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address. Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.
|
||
|
|
||
| def run_query(query): | ||
| # Simulating a database query without proper sanitization (SQL Injection risk) | ||
| return "Query result for: " + query | ||
|
|
||
| if __name__ == '__main__': | ||
| app.run(debug=True) | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # command_injection_vuln.py | ||
| import os | ||
|
|
||
| def ping_host(host): | ||
| # Vulnerable to command injection | ||
| command = f"ping -c 1 {host}" | ||
| os.system(command) | ||
|
|
||
| if __name__ == "__main__": | ||
| target = input("Enter host to ping: ") | ||
| ping_host(target) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # hardcoded_secret_vuln.py | ||
|
|
||
| # Hardcoded secrets | ||
| API_KEY = "sk_test_1234567890abcdef" | ||
| DB_PASSWORD = "SuperSecretPassword123!" | ||
|
|
||
| def connect(): | ||
| print("Connecting with password:", DB_PASSWORD) | ||
|
|
||
| if __name__ == "__main__": | ||
| connect() |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| # insecure_deserialization_vuln.py | ||
| import pickle | ||
|
|
||
| def load_data(serialized_data): | ||
| # Insecure deserialization | ||
| return pickle.loads(serialized_data) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Auto-generated PR comment (Polaris)Polaris SAST Issue - Insecure Object DeserializationHigh CWE-502 How to fixThe application should avoid using object deserialization for data shared outside a trusted system. The following things should be taken into consideration for remediation of this issue:
If using Java, it is recommended to use a run-time "agent" such as notsoserial (https://github.com/kantega/notsoserial) to specify and control which classes that should be allowed to be deserialized. Furthermore, it is strongly recommended to use the latest hardened JDK and ensure all third-party libraries, such as Apache Commons Collections, are updated. |
||
|
|
||
| if __name__ == "__main__": | ||
| data = input("Enter serialized object: ") | ||
| obj = load_data(data.encode()) | ||
| print(obj) | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # path_traversal_vuln.py | ||
| import os | ||
|
|
||
| BASE_DIR = "/var/www/files/" | ||
|
|
||
| def read_file(filename): | ||
| # Vulnerable to path traversal | ||
| filepath = os.path.join(BASE_DIR, filename) | ||
|
|
||
| with open(filepath, "r") as f: | ||
| return f.read() | ||
|
|
||
| if __name__ == "__main__": | ||
| file = input("Enter filename: ") | ||
| print(read_file(file)) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # sql_injection_vuln.py | ||
| import sqlite3 | ||
|
|
||
| def get_user(username): | ||
| conn = sqlite3.connect("users.db") | ||
| cursor = conn.cursor() | ||
|
|
||
| # Vulnerable to SQL Injection | ||
| query = f"SELECT * FROM users WHERE username = '{username}'" | ||
| cursor.execute(query) | ||
|
|
||
| result = cursor.fetchall() | ||
| conn.close() | ||
| return result | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| user_input = input("Enter username: ") | ||
| print(get_user(user_input)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Auto-generated PR comment (Polaris)
Polaris SAST Issue - Insecure Object Deserialization
High CWE-502
A user-controllable string is deserialized.
An attacker can instantiate arbitrary classes, possibly resulting in a denial of service or potentially unintended code execution.
How to fix
The application should avoid using object deserialization for data shared outside a trusted system.
The following things should be taken into consideration for remediation of this issue:
If using Java, it is recommended to use a run-time "agent" such as notsoserial (https://github.com/kantega/notsoserial) to specify and control which classes that should be allowed to be deserialized. Furthermore, it is strongly recommended to use the latest hardened JDK and ensure all third-party libraries, such as Apache Commons Collections, are updated.