Comments (5)
Hmm, i do not know if this even makes much sense.
The first example about absolute import will not even run(ImportError).
The second one will fail when we make the post.
So i do not think we need to support analysis of code the python interpreter does not even understand.
from pyt.
In my opinion the best solution would be to mark it as a vulnerability and in some way indicate that it is due to the name not being imported. That way the developer is able to disregard the vulnerability if he knows that he uses some dynamic magic to set the name
from pyt.
I probably could have explained this better, say
import subprocess
from flask import Flask, render_template, request
# This is a lib we can't possibly see inside of
import scrypt
app = Flask(__name__)
@app.route('/menu', methods=['GET'])
def menu():
param = request.args.get('suggestion')
# This is a function we can't possibly see inside of
foobar = scrypt.encrypt('echo ' + param + ' >> ' + 'menu.txt', 'password')
command = scrypt.encrypt('echo ' + param + ' >> ' + 'menu.txt', 'password')
hey = command
subprocess.call(hey, shell=True)
with open('menu.txt','r') as f:
menu = f.read()
return render_template('command_injection.html', menu=menu)
if __name__ == '__main__':
app.run(debug=True)
scrypt.encrypt could be any call from a library that we can't possibly know e.g. If all tainted args means a tainted return value.
So we shouldn't report it as a vulnerability with as much confidence as everything else. We can talk more about the UI part when I make the PR on Monday or Tuesday.
The way I did this was, to put the call in a set called blackbox_calls and then check in the assignment_with_call type function if the call is in blackbox calls. If it is, I add the assignment to blackbox assignments, which can be checked when sanitation is checked in vulnerabilities.py. This will get more complicated when I handle nested function calls but I'll write tests and incrementally handle things.
from pyt.
Maybe one day we'll do it like this awesome paper but, we're not there yet.
from pyt.
Maybe this update to the example file is better, thoughts? (Why would you exec an scrypt hash is a valid question but I didn't feel like running pyt until I find a better example.)
from pyt.
Related Issues (20)
- OSError: Input needs to be a file. Path: <path>/app.py HOT 3
- python3.7 support HOT 1
- AttributeError: 'IgnoredNode' object has no attribute 'first_statement'
- RecursionError: maximum recursion depth exceeded while calling a Python object HOT 3
- Control flow incorrect if imported functions have the same name HOT 2
- Sources and sinks should propagate
- Inappropriate ioctl using Ubuntu and pty HOT 3
- How to put it inside the proxy? HOT 1
- How to handle callbacks HOT 2
- Fails on Python 3.9.0 HOT 7
- o HOT 1
- pyt usually picks the wrong encoding to load files HOT 1
- args is empty in BBorBInode when CFG generated
- RFH: jsonpickle security detection HOT 1
- .
- Teste
- H
- real
- Vulnerable python code HOT 1
- Tic tac toe
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyt.