-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpython.yml
More file actions
61 lines (61 loc) · 1.47 KB
/
python.yml
File metadata and controls
61 lines (61 loc) · 1.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# Python: sources = anything the user can manipulate (headers, cookies, query, body, path, etc.)
# * = prefix match (e.g. request.headers* matches request.headers.get, request.headers['X-Foo'])
sources:
# Query string / URL params
- "request.args*"
- "flask.request.args*"
- "request.values*"
- "flask.request.values*"
# POST/form body, JSON body
- "request.form*"
- "request.data"
- "request.json"
- "request.get_json"
- "flask.request.form*"
- "flask.request.data"
- "flask.request.get_json"
# HTTP headers (user can send any header: X-*, Cookie, Authorization, Referer, etc.)
- "request.headers*"
- "request.headers"
- "flask.request.headers*"
- "request.META*"
# Cookies
- "request.cookies*"
- "request.cookies"
- "flask.request.cookies*"
# URL / path / referrer
- "request.url"
- "request.path"
- "request.referrer"
- "request.remote_addr"
- "request.user_agent"
# Session (often stores user-origin data)
- "request.session*"
- "session*"
# File upload (user-controlled name/content)
- "request.files*"
- "request.files"
# Stdin / CLI input
- "input"
- "sys.stdin*"
- "sys.argv"
sinks:
- "os.execv"
- "os.execve"
- "os.execvp"
- "os.execvpe"
- "os.execl"
- "os.execle"
- "os.execlp"
- "os.execlpe"
- "subprocess.call"
- "subprocess.run"
- "subprocess.Popen"
- "subprocess.check_call"
- "subprocess.check_output"
sanitizers:
- "sanitize"
- "clean"
- "escape"
- "html.escape"
- "bleach.clean"