From 393443d843570e7e9092cae9830daded527a392a Mon Sep 17 00:00:00 2001
From: ErikW <128716503+github-cloudlabsuser-112@users.noreply.github.com>
Date: Wed, 18 Dec 2024 19:36:34 +0000
Subject: [PATCH 1/2] Update routes.py
---
server/routes.py | 86 ++++++++++++++++++++++++------------------------
1 file changed, 43 insertions(+), 43 deletions(-)
diff --git a/server/routes.py b/server/routes.py
index 0311c92..52f2bce 100644
--- a/server/routes.py
+++ b/server/routes.py
@@ -30,48 +30,48 @@ def index():
# Uncomment the following lines of code and make a pull request to see CodeQL in action
-# @flaskapp.route("/log_injections")
-# def log_injections():
-# data = request.args.get("data")
-# logging.debug(data)
-# return jsonify(data="Log injection vulnerability"), 200
-
-
-# @flaskapp.route("/config/")
-# def config():
-# try:
-# command = "cat prod.config.yaml"
-# data = subprocess.check_output(command, shell=True)
-# return data
-# except:
-# return jsonify(data="Command didn't run"), 200
-
-
-# @flaskapp.route("/read-bad-file")
-# def read_bad_file():
-# file = request.args.get("file")
-# with open(file, "r") as f:
-# data = f.read()
-# logging.debug(data)
-# return jsonify(data="Uncontrolled data use in path expression"), 200
-
-
-# @flaskapp.route("/hello")
-# def hello():
-# if request.args.get("name"):
-# name = request.args.get("name")
-# template = f"""Hello
{name}"""
-# logging.debug(str(template))
-# return render_template_string(template)
-
-
-# @flaskapp.route("/get_users")
-# def get_users():
-# try:
-# hostname = request.args.get("hostname")
-# command = "dig " + hostname
-# data = subprocess.check_output(command, shell=True)
-# return data
-# except:
+ @flaskapp.route("/log_injections")
+ def log_injections():
+ data = request.args.get("data")
+ logging.debug(data)
+ return jsonify(data="Log injection vulnerability"), 200
+
+
+ @flaskapp.route("/config/")
+ def config():
+ try:
+ command = "cat prod.config.yaml"
+ data = subprocess.check_output(command, shell=True)
+ return data
+ except:
+ return jsonify(data="Command didn't run"), 200
+
+
+ @flaskapp.route("/read-bad-file")
+ def read_bad_file():
+ file = request.args.get("file")
+ with open(file, "r") as f:
+ data = f.read()
+ logging.debug(data)
+ return jsonify(data="Uncontrolled data use in path expression"), 200
+
+
+ @flaskapp.route("/hello")
+ def hello():
+ if request.args.get("name"):
+ name = request.args.get("name")
+ template = f"""Hello
{name}"""
+ logging.debug(str(template))
+ return render_template_string(template)
+
+
+ @flaskapp.route("/get_users")
+ def get_users():
+ try:
+ hostname = request.args.get("hostname")
+ command = "dig " + hostname
+ data = subprocess.check_output(command, shell=True)
+ return data
+ except:
data = str(hostname) + " username not found"
return data
From 74101ec5a6548a6620be939fd50eb69b64fd6187 Mon Sep 17 00:00:00 2001
From: ErikW <128716503+github-cloudlabsuser-112@users.noreply.github.com>
Date: Wed, 18 Dec 2024 19:51:52 +0000
Subject: [PATCH 2/2] Fix code scanning alert no. 12: Log Injection
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
server/routes.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/server/routes.py b/server/routes.py
index 52f2bce..9f530bf 100644
--- a/server/routes.py
+++ b/server/routes.py
@@ -33,6 +33,8 @@ def index():
@flaskapp.route("/log_injections")
def log_injections():
data = request.args.get("data")
+ if data:
+ data = data.replace('\r\n', '').replace('\n', '')
logging.debug(data)
return jsonify(data="Log injection vulnerability"), 200