From 2b951067701b3c616a3b43d8689c135dd3a05837 Mon Sep 17 00:00:00 2001 From: circleci Date: Mon, 27 May 2019 16:02:53 +0000 Subject: [PATCH 01/10] Added js_error_20190227040253.js, py_xss_20190227040253.py, py_error_20190227040253.py --- py_error_20190227040253.py | 46 ++++++++++++++++++++++++++++ py_unittest_20190227040253.py | 15 +++++++++ py_xss_20190227040253.py | 11 +++++++ static/js/js_error_20190227040253.js | 10 ++++++ 4 files changed, 82 insertions(+) create mode 100644 py_error_20190227040253.py create mode 100644 py_unittest_20190227040253.py create mode 100644 py_xss_20190227040253.py create mode 100644 static/js/js_error_20190227040253.js diff --git a/py_error_20190227040253.py b/py_error_20190227040253.py new file mode 100644 index 0000000..e40ddd9 --- /dev/null +++ b/py_error_20190227040253.py @@ -0,0 +1,46 @@ +import lxml + +class C20190227040253(): + "This is an example class" + a = 10 + def func(self): + print('Hello Example') + +# Output: 10 +print(C20190227040253.a) + +# Output: +print(C20190227040253.func) + +# Output: 'This is my second class' +print(C20190227040253.__doc__) + +# Code Injection +def GET(self): + get_input = web.input() + param1 = get_input['param1'] if 'param1' in get_input else None + if (param1): + x = eval(param1) + return "I'm vulnerable" + +# CWE-759 +def storePassword(userName,Password): + hasher = hashlib.new('md5') + hasher.update(Password) + hashedPassword = hasher.digest() + + # UpdateUserLogin returns True on success, False otherwise + return updateUserLogin(userName,hashedPassword) + + +def calc(number,times): + program = 'a = 5\nb=10\nprint("Sum =", a+b)' + exec(program) + for x in range(0, 3): + print("We're on time %d" % (x)) + y = 1 + while True: + if(y%2 ==0): + print("To infinity and beyond! We're getting close, on %d now!" % (y)) + y += 1 + return number*times \ No newline at end of file diff --git a/py_unittest_20190227040253.py b/py_unittest_20190227040253.py new file mode 100644 index 0000000..d0e55b2 --- /dev/null +++ b/py_unittest_20190227040253.py @@ -0,0 +1,15 @@ +from django.test import TestCase + + +from py_error_20190227040253 import C20190227040253 + +class TestModel01(TestCase): + + def test_01(self): + x = C20190227040253() + self.assertIs(x.a,10) + + + def test_02(self): + x = C20190227040253() + self.assertIs(x.calc(7,3),21) \ No newline at end of file diff --git a/py_xss_20190227040253.py b/py_xss_20190227040253.py new file mode 100644 index 0000000..83b98c4 --- /dev/null +++ b/py_xss_20190227040253.py @@ -0,0 +1,11 @@ +from flask import Flask, request, make_response, escape + +app = Flask(__name__) +@app.route('/unsafe') +def unsafe(): + first_name = request.args.get('name', '') + return make_response("Your name is " + first_name) +@app.route('/safe') +def safe(): + first_name = request.args.get('name', '') + return make_response("Your name is " + escape(first_name)) \ No newline at end of file diff --git a/static/js/js_error_20190227040253.js b/static/js/js_error_20190227040253.js new file mode 100644 index 0000000..ac1f616 --- /dev/null +++ b/static/js/js_error_20190227040253.js @@ -0,0 +1,10 @@ +function hello() { + let a = "dummy" + return "Hello"; +} + +function world() { + password a = "dummy" + let b = "line" + return "World"; +} \ No newline at end of file From aa29c6dd40da7a7a1bdf175f722876b6519b1c27 Mon Sep 17 00:00:00 2001 From: circleci Date: Mon, 17 Jun 2019 14:11:53 +0000 Subject: [PATCH 02/10] Fixed Python and Javascript errors --- py_error_20190227040253.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/py_error_20190227040253.py b/py_error_20190227040253.py index e40ddd9..4639e73 100644 --- a/py_error_20190227040253.py +++ b/py_error_20190227040253.py @@ -1,9 +1,10 @@ -import lxml +#import lxml class C20190227040253(): "This is an example class" a = 10 - def func(self): + @classmethod + def funct(self): print('Hello Example') # Output: 10 @@ -20,8 +21,8 @@ def GET(self): get_input = web.input() param1 = get_input['param1'] if 'param1' in get_input else None if (param1): - x = eval(param1) - return "I'm vulnerable" + x = ast.literal_eval(param1) + return "I'm not vulnerable"+x # CWE-759 def storePassword(userName,Password): @@ -32,10 +33,9 @@ def storePassword(userName,Password): # UpdateUserLogin returns True on success, False otherwise return updateUserLogin(userName,hashedPassword) - def calc(number,times): - program = 'a = 5\nb=10\nprint("Sum =", a+b)' - exec(program) + print("Sum =", a+b) + #no need for exec for x in range(0, 3): print("We're on time %d" % (x)) y = 1 From d520c2cf852c5b542dfe2c53268c613096d86f88 Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 21 Jun 2019 10:21:08 +0000 Subject: [PATCH 03/10] Fixed Python and Javascript errors From 7d10797a28a69b7c491749921f7e0940ca4e4cb5 Mon Sep 17 00:00:00 2001 From: circleci Date: Mon, 24 Jun 2019 14:12:45 +0000 Subject: [PATCH 04/10] Fixed Python and Javascript errors From 9e9d5223272d183c2015fbc3f356e920d3f7d8f4 Mon Sep 17 00:00:00 2001 From: circleci Date: Mon, 8 Jul 2019 09:14:10 +0000 Subject: [PATCH 05/10] Fixed Python and Javascript errors From 6b8c0c157bf085680a54565461f1177b4646ff9e Mon Sep 17 00:00:00 2001 From: circleci Date: Fri, 19 Jul 2019 17:05:28 +0000 Subject: [PATCH 06/10] Fixed Python and Javascript errors From 41c6a2e563fc742a66d96901fb5c9dfbb5493180 Mon Sep 17 00:00:00 2001 From: "codacydemo@codacy.com" Date: Fri, 9 Aug 2019 15:26:50 +0100 Subject: [PATCH 07/10] Fixed Python and Javascript errors From 2ca097b2274afd556596ff90a6d642d57ef9bd47 Mon Sep 17 00:00:00 2001 From: "codacydemo@codacy.com" Date: Fri, 9 Aug 2019 16:22:12 +0000 Subject: [PATCH 08/10] Fixed Python and Javascript errors From 94cd1ecea89eea32e3d9f91d2f1dfa9b6e6d08a1 Mon Sep 17 00:00:00 2001 From: "codacydemo@codacy.com" Date: Mon, 2 Sep 2019 14:03:05 +0000 Subject: [PATCH 09/10] Fixed Python and Javascript errors From aae126809bc7cba33a956ffc25b88324042ff5a8 Mon Sep 17 00:00:00 2001 From: "codacydemo@codacy.com" Date: Mon, 2 Sep 2019 15:44:43 +0000 Subject: [PATCH 10/10] Fixed Python and Javascript errors