Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Sast tests #2180

Merged
merged 10 commits into from
Sep 21, 2023
Merged

Add Sast tests #2180

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
4c3f96b
change go mod to core dev
attiasas Sep 3, 2023
f579380
implement tests
attiasas Sep 3, 2023
4d75296
Merge remote-tracking branch 'upstream/dev' into add_zeroday_tests
attiasas Sep 6, 2023
c3fdc61
merge dev
attiasas Sep 12, 2023
0a9c16b
Merge remote-tracking branch 'upstream/dev' into add_zeroday_tests
attiasas Sep 18, 2023
f2734f0
Update AnalyzerManager to v1.3.2.2005632
attiasas Sep 19, 2023
d6e999c
fix tests
attiasas Sep 20, 2023
3879cb7
action not on release
attiasas Sep 20, 2023
19ccd13
Merge remote-tracking branch 'upstream/dev' into add_zeroday_tests
attiasas Sep 20, 2023
923f1f3
review changes
attiasas Sep 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion testdata/xray/jas-test/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
PyYAML==5.2
PyYAML==5.2
Werkzeug==1.0.1
51 changes: 51 additions & 0 deletions testdata/xray/jas-test/sast/flask_webgoat/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
import os
import sqlite3
from pathlib import Path

from flask import Flask, g

DB_FILENAME = "database.db"


def query_db(query, args=(), one=False, commit=False):
with sqlite3.connect(DB_FILENAME) as conn:
# vulnerability: Sensitive Data Exposure
conn.set_trace_callback(print)
cur = conn.cursor().execute(query, args)
if commit:
conn.commit()
return cur.fetchone() if one else cur.fetchall()


def create_app():
app = Flask(__name__)
app.secret_key = "aeZ1iwoh2ree2mo0Eereireong4baitixaixu5Ee"

db_path = Path(DB_FILENAME)
if db_path.exists():
db_path.unlink()

conn = sqlite3.connect(DB_FILENAME)
create_table_query = """CREATE TABLE IF NOT EXISTS user
(id INTEGER PRIMARY KEY, username TEXT, password TEXT, access_level INTEGER)"""
conn.execute(create_table_query)

insert_admin_query = """INSERT INTO user (id, username, password, access_level)
VALUES (1, 'admin', 'admin', 0)"""
conn.execute(insert_admin_query)
conn.commit()
conn.close()

with app.app_context():
from . import actions
from . import auth
from . import status
from . import ui
from . import users

app.register_blueprint(actions.bp)
app.register_blueprint(auth.bp)
app.register_blueprint(status.bp)
app.register_blueprint(ui.bp)
app.register_blueprint(users.bp)
return app
25 changes: 25 additions & 0 deletions testdata/xray/jas-test/sast/flask_webgoat/ui.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
import sqlite3

from flask import Blueprint, request, render_template
from . import query_db

bp = Blueprint("ui", __name__)


@bp.route("/search")
def search():
query_param = request.args.get("query")
if query_param is None:
message = "please provide the query parameter"
return render_template("error.html", message=message)

try:
query = "SELECT username, access_level FROM user WHERE username LIKE ?;"
results = query_db(query, (query_param,))
# vulnerability: XSS
return render_template(
"search.html", results=results, num_results=len(results), query=query_param
)
except sqlite3.Error as err:
message = "Error while executing query " + query_param + ": " + err
return render_template("error.html", message=message)
Loading
Loading