Skip to content

Commit 9331c2c

Browse files
joefarebrotherjoefarebrother
committed
Add tests
1 parent 6ac46b8 commit 9331c2c

File tree

1 file changed

+45
-1
lines changed

1 file changed

+45
-1
lines changed

python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
from flask import request
22

33
import requests
4-
4+
import re
55

66
def full_ssrf():
77
user_input = request.args['untrusted_input']
@@ -120,3 +120,47 @@ def partial_ssrf_6():
120120

121121
url = f"https://example.com/foo#{user_input}"
122122
requests.get(url) # NOT OK -- user only controlled fragment
123+
124+
def partial_ssrf_7():
125+
user_input = request.args['untrusted_input']
126+
127+
if user_input.isalnum():
128+
url = f"https://example.com/foo#{user_input}"
129+
requests.get(url) # OK - user input can only contain alphanumerical characters
130+
131+
if user_input.isalpha():
132+
url = f"https://example.com/foo#{user_input}"
133+
requests.get(url) # OK - user input can only contain alphabetical characters
134+
135+
if user_input.isdecimal():
136+
url = f"https://example.com/foo#{user_input}"
137+
requests.get(url) # OK - user input can only contain decimal characters
138+
139+
if user_input.isdigit():
140+
url = f"https://example.com/foo#{user_input}"
141+
requests.get(url) # OK - user input can only contain digits
142+
143+
if user_input.isnumeric():
144+
url = f"https://example.com/foo#{user_input}"
145+
requests.get(url) # OK - user input can only contain numeric characters
146+
147+
if user_input.isspace():
148+
url = f"https://example.com/foo#{user_input}"
149+
requests.get(url) # OK - user input can only contain whitespace characters
150+
151+
if re.fullmatch(r'[a-zA-Z0-9]+', user_input):
152+
url = f"https://example.com/foo#{user_input}"
153+
requests.get(url) # OK - user input can only contain alphanumerical characters
154+
155+
if re.fullmatch(r'.*[a-zA-Z0-9]+.*', user_input):
156+
url = f"https://example.com/foo#{user_input}"
157+
requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary characters
158+
159+
160+
if re.match(r'^[a-zA-Z0-9]+$', user_input):
161+
url = f"https://example.com/foo#{user_input}"
162+
requests.get(url) # OK - user input can only contain alphanumerical characters
163+
164+
if re.match(r'[a-zA-Z0-9]+', user_input):
165+
url = f"https://example.com/foo#{user_input}"
166+
requests.get(url) # NOT OK, but NOT FOUND - user input can contain arbitrary character as a suffix.

0 commit comments

Comments
 (0)