From 59f50373185fcf9b6231e46a3919ed12fcb6f4e0 Mon Sep 17 00:00:00 2001 From: Kevin Hock Date: Mon, 26 Feb 2018 18:20:46 -0800 Subject: [PATCH] old hackathon eval thing --- analyse_scan_results.py | 2 +- flask_open_source_apps.csv | 41 -- hackathon_notes.py | 483 ++++++++++++++++++ pyt/interprocedural_cfg.py | 2 +- .../flask_trigger_words.pyt | 13 - 5 files changed, 485 insertions(+), 56 deletions(-) create mode 100644 hackathon_notes.py diff --git a/analyse_scan_results.py b/analyse_scan_results.py index a000fe20..91777c78 100644 --- a/analyse_scan_results.py +++ b/analyse_scan_results.py @@ -62,7 +62,7 @@ def get_urls(filename): if __name__ == '__main__': filename = 'scan_results/archived_26_10_scan.pyt' - filename = 'scan_results/test.pyt' + # filename = 'scan_results/test.pyt' repos = get_repos(filename) print([b.url for b in repos]) print(len(repos)) diff --git a/flask_open_source_apps.csv b/flask_open_source_apps.csv index c87dd329..10d05dc7 100644 --- a/flask_open_source_apps.csv +++ b/flask_open_source_apps.csv @@ -82,7 +82,6 @@ https://github.com/liontree/lemonbook, lemonbook/__init__.py https://github.com/lepture/flask-oauthlib, flask-oauthlib/flask_oauthlib/provider/oauth1.py https://github.com/plastboks/Flaskmarks, Flaskmarks/flaskmarks/__init__.py https://github.com/Joinhack/agent, agent/flask_sqlalchemy.py -https://github.com/ricardorego/FlaskTaskr, FlaskTaskr/flasktaskr.py https://github.com/col42dev/todoAPIServer, todoAPIServer/todo.py https://github.com/pnelson/flask-passport, flask-passport/flask_passport.py https://github.com/turnkey-commerce/flask-notes, flask-notes/app.py @@ -118,16 +117,12 @@ https://github.com/mbyta/socially, socially/app/__init__.py https://github.com/patrickbeeson/has-it-ever-been, has-it-ever-been/tests.py https://github.com/aachik/blog_flask_practica, blog_flask_practica/blog.py https://github.com/moranned/flask_api_example, flask_api_example/app.py -https://github.com/goncharovms/flask_library, flask_library/app/__init__.py -https://github.com/moranned/flask_api_example, flask_api_example/app.py -https://github.com/goncharovms/flask_library, flask_library/app/__init__.py https://github.com/johnwook/flask-restful-todo, flask-restful-todo/app.py https://github.com/rmotr/example-flask-app, example-flask-app/rmotr/app.py https://github.com/mbasanta/QR5Server, QR5Server/qr5server/__init__.py https://github.com/donalcarpenter/lolcatfancier, lolcatfancier/app.py https://github.com/jinpark/imageresizer, imageresizer/app.py https://github.com/JoeAcanfora/CrowdSite, CrowdSite/flask_app.py -https://github.com/andrej2704/flaskplayground, flaskplayground/flaskAuth.py https://github.com/decodigoyalgomas/Flask-Tutorial-RPG-Manager, Flask-Tutorial-RPG-Manager/app/__init__.py https://github.com/syndbg/flask-url-shortener, flask-url-shortener/url_shortener/app.py https://github.com/jpf/okta-pysaml2-example, okta-pysaml2-example/app.py @@ -165,33 +160,25 @@ https://github.com/jlybianto/flask_api_posts, flask_api_posts/posts/__init__.py https://github.com/travelton/pork, pork/pork/pork.py https://github.com/aantonw/notesapi, notesapi/notesapi.py https://github.com/markmuetz/flask-1000earths, flask-1000earths/app.py -https://github.com/nicovogelaar/time-tracker-flask, time-tracker-flask/app/__init__.py https://github.com/nmaltais/python_flask_project, python_flask_project/hello.py https://github.com/ShermanMorrison/taskapp, taskapp/project/__init__.py -https://github.com/pkulev/mblog, mblog/mblog/__init__.py https://github.com/VicarEscaped/xlsgen_service, xlsgen_service/app/__init__.py https://github.com/prashannth/flask-cassandra, flask-cassandra/app/__init__.py https://github.com/eon01/flask_restful_sample, flask_restful_sample/apirest.py https://github.com/haydarmiftahul/flask-microblogging, flask-microblogging/app.py https://github.com/Turbo87/flask-oauth2-test, flask-oauth2-test/server.py -https://github.com/pkulev/mblog, mblog/mblog/__init__.py https://github.com/bidhan-a/flasknotes, flasknotes/api.py https://github.com/BlaiseGratton/which_flask, which_flask/app.py https://github.com/Yanze/restau_management_flask, restau_management_flask/restau_management_flask/__init__.py https://github.com/bidhan-a/flasknotes, flasknotes/api.py https://github.com/nausheenfatma/WebAppWithFlask, WebAppWithFlask/model.py -https://github.com/RicoChou/MyFlasky, MyFlasky/app/__init__.py https://github.com/heamon7/learn-restful, learn-restful/app.py https://github.com/brittanymcgarr/learningFlask, learningFlask/FlaskPractice/app/app.py https://github.com/RodrigoVillatoro/flask_social_network, flask_social_network/app/__init__.py https://github.com/nausheenfatma/WebAppWithFlask, WebAppWithFlask/model.py https://github.com/sheldonsmickley/flaskemail_app, flaskemail_app/emails.py -https://github.com/shas15/Betting-Chips, Betting-Chips/test.py https://github.com/aetherwu/Flask-Docker-Template, Flask-Docker-Template/flask/web/__init__.py -https://github.com/AngelMunoz/Flask-Blueprints-Template, Flask-Blueprints-Template/app/__init__.py https://github.com/saviour123/flaskStudentData, flaskStudentData/app.py -https://github.com/AngelMunoz/Flask-Blueprints-Template, Flask-Blueprints-Template/app/__init__.py -https://github.com/tolmun/flask-ng-sample, flask-ng-sample/project/__init__.py https://github.com/awind/FlaskRestful, FlaskRestful/app/__init__.py https://github.com/IvanBodnar/fromzero_flask_blog, fromzero_flask_blog/__init__.py https://github.com/AllyW/flaskyDeb, flaskyDeb/app/__init__.py @@ -201,7 +188,6 @@ https://github.com/AllyW/flaskyDeb, flaskyDeb/app/__init__.py https://github.com/billyfung/flask_shortener, flask_shortener/app.py https://github.com/s-kovacevic/elearning-flask, elearning-flask/main.py https://github.com/xpleaf/flask_catalog, flask_catalog/my_app/__init__.py -https://github.com/HYL13/flask_project_0, flask_project_0/app/__init__.py https://github.com/kfiras/cloudfoundry-flask-webservice, cloudfoundry-flask-webservice/app.py https://github.com/ssam123/flask-blog-tutorial, flask-blog-tutorial/__init__.py https://github.com/kloudsec/py-webkit2png-flask-api, py-webkit2png-flask-api/api/app.py @@ -225,7 +211,6 @@ https://github.com/Mamun-dueee/flask, flask/setup.py https://github.com/13923858795/Tutorial, Tutorial/my/app/__init__.py https://github.com/feocco/flaskLab, flaskLab/app.py https://github.com/novking/Flask_AWS, Flask_AWS/PlagiarismDefender/home.py -https://github.com/umutcoskun/flask-ready, flask-ready/src/app/__init__.py https://github.com/natfoster82/flask-alcohol, flask-alcohol/example/app.py https://github.com/Nonja/FlaskArticleSearchNYT, FlaskArticleSearchNYT/app/__init__.py https://github.com/thomasobrien99/flask-movie-crud, flask-movie-crud/app.py @@ -244,17 +229,13 @@ https://github.com/cooleo/flask-cassandra, flask-cassandra/app/__init__.py https://github.com/botheredbybees/flask-rss, flask-rss/headlines.py https://github.com/wwpika/flaskww, flaskww/app/__init__.py https://github.com/aig-/flask_google, flask_google/app.py -https://github.com/dhan12/Flaskblog, Flaskblog/run.py https://github.com/Wangbicong/flask-newspaper, flask-newspaper/app/__init__.py https://github.com/welserjr/Flask_Recaptcha, Flask_Recaptcha/app.py https://github.com/brevno/test_pg_flask, test_pg_flask/app/__init__.py https://github.com/feistiller/LearnPythonFlask, LearnPythonFlask/Demo1HelloWorld.py https://github.com/afropolymath/papers, papers/api/__init__.py https://github.com/Eyali1001/flaskcalculator, flaskcalculator/calculator.py -https://github.com/nenodias/flask-webservice, flask-webservice/app.py https://github.com/aripddev/cms_flask, cms_flask/app/__init__.py -https://github.com/XiongZhijun/simple-flask, simple-flask/app/app.py -https://github.com/brizow/FlaskTriviaApp, FlaskTriviaApp/FlaskWebProject1/__init__.py https://github.com/Chi-Qingjun/FlaskWechatDev, FlaskWechatDev/app/__init__.py https://github.com/NexusRJ/react_flask_blog, react_flask_blog/app/__init__.py https://github.com/jordanagreen/flask-todo-lists, flask-todo-lists/app.py @@ -262,13 +243,10 @@ https://github.com/sampathweb/ml-cookiecutter-starter-flask-app, ml-cookiecutter https://github.com/thippo/FlaskFrame, FlaskFrame/myweb/__init__.py https://github.com/fantingdong/flasky1, flasky1/app/__init__.py https://github.com/wccosby/flaskML, flaskML/app/__init__.py -https://github.com/nenodias/flask-webservice, flask-webservice/app.py https://github.com/kwin-wang/flask-learn, flask-learn/hello.py https://github.com/guoqiao/flask-examples, flask-examples/minitwit/minitwit.py -https://github.com/xawei/flask_gw, flask_gw/app/__init__.py https://github.com/NataKuskova/Classwork_flask, Classwork_flask/script.py https://github.com/BadSol/flask-vendor, flask-vendor/vendor/__init__.py -https://github.com/csyouk/faust-register-py, faust-register-py/register_server.py https://github.com/lizTheDeveloper/__g26_flask, __g26_flask/model.py https://github.com/thippo/FlaskFrame, FlaskFrame/myweb/__init__.py https://github.com/JonathanFrederick/flask-cards, flask-cards/app.py @@ -278,7 +256,6 @@ https://github.com/shutdown57/learning_flask, learning_flask/src/app.py https://github.com/kuaiwu/MyFlask, MyFlask/app/__init__.py https://github.com/upbit/flask_whiteboard, flask_whiteboard/main.py https://github.com/lieuhon/First-Flask, First-Flask/app/__init__.py -https://github.com/csyouk/faust-register-py, faust-register-py/register_server.py https://github.com/13923858795/Tutorial, Tutorial/my/app/__init__.py https://github.com/feocco/flaskLab, flaskLab/app.py https://github.com/asap/weather-wizard, weather-wizard/weather/__init__.py @@ -288,7 +265,6 @@ https://github.com/JGaard/GoogleDomain---AD-web-console, GoogleDomain---AD-web-c https://github.com/1stvamp/flask-straw-poll, flask-straw-poll/flask_straw_poll/__init__.py https://github.com/internetfett/flask-timekeeper, flask-timekeeper/main.py https://github.com/merisbahti/mongodb-flask-fun, mongodb-flask-fun/index.py -https://github.com/andrewmetersky/spotify-flaskapp, spotify-flaskapp/routes.py https://github.com/marselester/upload-a-file, upload-a-file/uploader/__init__.py https://github.com/nouyang/WTFisThisRegister, WTFisThisRegister/WTFisThisRegister.py https://github.com/JGaard/GoogleDomain---AD-web-console, GoogleDomain---AD-web-console/__init__.py @@ -322,7 +298,6 @@ https://github.com/ko/sandbox-flask, sandbox-flask/flask-httpauth/main.py https://github.com/vladkrylov/FlaskLoginTest, FlaskLoginTest/app/__init__.py https://github.com/cevaris/flask-hk5, flask-hk5/mongoFlask/__init__.py https://github.com/wiliamsouza/cars, cars/cars/__init__.py -https://github.com/artran/MyMdb, MyMdb/application.py https://github.com/scjackson/twiceurl, twiceurl/twiceurl.py https://github.com/okaram/learnmongo, learnmongo/FlaskApplication/__init__.py https://github.com/lingthio/Flask-User, Flask-User/example_apps/multi_email_app.py @@ -377,13 +352,11 @@ https://github.com/mskog/cheapskate, cheapskate/cheapskate.py https://github.com/simonm/flaskCamel, flaskCamel/flaskcamel/__init__.py https://github.com/Bloodevil/flask_cache_server, flask_cache_server/main.py https://github.com/DMzda/cann-tables, cann-tables/cann_tables/__init__.py -https://github.com/elvinyung/quimbu, quimbu/quimbu.py https://github.com/Rosk/flasqlite, flasqlite/app/__init__.py https://github.com/marshmallow-code/flask-marshmallow, flask-marshmallow/flask_marshmallow/__init__.py https://github.com/alyssaq/celery-flask-demo, celery-flask-demo/app.py https://github.com/simonm/flaskCamel, flaskCamel/flaskcamel/__init__.py https://github.com/tasti/Twittre, Twittre/twittre.py -https://github.com/elvinyung/quimbu, quimbu/quimbu.py https://github.com/Amanda-Clark/BartStats, BartStats/BartStats/BartStats/BartStats.py https://github.com/miguelgrinberg/flask-webcast, flask-webcast/03-forms/hello.py https://github.com/yjroot/domainserver, domainserver/dnsserver/__init__.py @@ -568,14 +541,12 @@ https://github.com/FinleySmile/flask_blog_demo, flask_blog_demo/flask_blog_demo. https://github.com/RodrigoVillatoro/flask_social_network, flask_social_network/app/__init__.py https://github.com/nausheenfatma/WebAppWithFlask, WebAppWithFlask/model.py https://github.com/sheldonsmickley/flaskemail_app, flaskemail_app/emails.py -https://github.com/shas15/Betting-Chips, Betting-Chips/test.py https://github.com/soasme/flask-perm, flask-perm/example.py https://github.com/hnb2/flask-customers, flask-customers/customers/__init__.py https://github.com/LeonNie52/Learn_Flask, Learn_Flask/hello.py https://github.com/mauriciorey/learning_flask, learning_flask/routes.py https://github.com/nivanko/flask-catalog, flask-catalog/application.py https://github.com/aetherwu/Flask-Docker-Template, Flask-Docker-Template/flask/web/__init__.py -https://github.com/AngelMunoz/Flask-Blueprints-Template, Flask-Blueprints-Template/app/__init__.py https://github.com/posenberg/Flask-Kickstarter-Clone, Flask-Kickstarter-Clone/punchstarter/__init__.py https://github.com/pythonvietnam/meetup01-flask, meetup01-flask/hello_world.py https://github.com/shane-kercheval/flask-postgresql-template, flask-postgresql-template/app_factory.py @@ -585,8 +556,6 @@ https://github.com/nivanko/flask-catalog, flask-catalog/application.py https://github.com/saviour123/flaskStudentData, flaskStudentData/app.py https://github.com/QLGu/flask-zhihu-demo, flask-zhihu-demo/www/__init__.py https://github.com/jkravanja/paypal_flask_payment, paypal_flask_payment/payment.py -https://github.com/tolmun/flask-ng-sample, flask-ng-sample/project/__init__.py -https://github.com/AngelMunoz/Flask-Blueprints-Template, Flask-Blueprints-Template/app/__init__.py https://github.com/graphql-python/flask-graphql, flask-graphql/tests/app.py https://github.com/AnshuOnGit/FlaskServices, FlaskServices/read_file.py https://github.com/shank7485/Flask-APIs, Flask-APIs/APIs/__init__.py @@ -616,7 +585,6 @@ https://github.com/boydjohnson/flasktwilio, flasktwilio/app.py https://github.com/s-kovacevic/elearning-flask, elearning-flask/main.py https://github.com/xpleaf/flask_catalog, flask_catalog/my_app/__init__.py https://github.com/poppuyo/FlaskUrlShortener, FlaskUrlShortener/FlaskUrlShortener/urlshortener.py -https://github.com/HYL13/flask_project_0, flask_project_0/app/__init__.py https://github.com/kfiras/cloudfoundry-flask-webservice, cloudfoundry-flask-webservice/app.py https://github.com/ssam123/flask-blog-tutorial, flask-blog-tutorial/__init__.py https://github.com/kcunning/flask-class-c9, flask-class-c9/flaskclass/app/__init__.py @@ -748,7 +716,6 @@ https://github.com/kmalfatti/library-flask-app, library-flask-app/app.py https://github.com/Millyn/flask_py3_hr, flask_py3_hr/app/__init__.py https://github.com/13923858795/Tutorial, Tutorial/my/app/__init__.py https://github.com/feocco/flaskLab, flaskLab/app.py -https://github.com/umutcoskun/flask-ready, flask-ready/src/app/__init__.py https://github.com/novking/Flask_AWS, Flask_AWS/PlagiarismDefender/home.py https://github.com/natfoster82/flask-alcohol, flask-alcohol/example/app.py https://github.com/Nonja/FlaskArticleSearchNYT, FlaskArticleSearchNYT/app/__init__.py @@ -769,17 +736,13 @@ https://github.com/ja8zyjits/redis-flask, redis-flask/flask_app.py https://github.com/botheredbybees/flask-rss, flask-rss/headlines.py https://github.com/wwpika/flaskww, flaskww/app/__init__.py https://github.com/aig-/flask_google, flask_google/app.py -https://github.com/dhan12/Flaskblog, Flaskblog/run.py https://github.com/Wangbicong/flask-newspaper, flask-newspaper/app/__init__.py https://github.com/welserjr/Flask_Recaptcha, Flask_Recaptcha/app.py https://github.com/brevno/test_pg_flask, test_pg_flask/app/__init__.py https://github.com/feistiller/LearnPythonFlask, LearnPythonFlask/Demo1HelloWorld.py https://github.com/afropolymath/papers, papers/api/__init__.py https://github.com/Eyali1001/flaskcalculator, flaskcalculator/calculator.py -https://github.com/nenodias/flask-webservice, flask-webservice/app.py https://github.com/aripddev/cms_flask, cms_flask/app/__init__.py -https://github.com/XiongZhijun/simple-flask, simple-flask/app/app.py -https://github.com/brizow/FlaskTriviaApp, FlaskTriviaApp/FlaskWebProject1/__init__.py https://github.com/Chi-Qingjun/FlaskWechatDev, FlaskWechatDev/app/__init__.py https://github.com/NexusRJ/react_flask_blog, react_flask_blog/app/__init__.py https://github.com/jordanagreen/flask-todo-lists, flask-todo-lists/app.py @@ -787,12 +750,9 @@ https://github.com/sampathweb/ml-cookiecutter-starter-flask-app, ml-cookiecutter https://github.com/thippo/FlaskFrame, FlaskFrame/myweb/__init__.py https://github.com/fantingdong/flasky1, flasky1/app/__init__.py https://github.com/wccosby/flaskML, flaskML/app/__init__.py -https://github.com/nenodias/flask-webservice, flask-webservice/app.py https://github.com/kwin-wang/flask-learn, flask-learn/hello.py -https://github.com/xawei/flask_gw, flask_gw/app/__init__.py https://github.com/NataKuskova/Classwork_flask, Classwork_flask/script.py https://github.com/BadSol/flask-vendor, flask-vendor/vendor/__init__.py -https://github.com/csyouk/faust-register-py, faust-register-py/register_server.py https://github.com/lizTheDeveloper/__g26_flask, __g26_flask/model.py https://github.com/thippo/FlaskFrame, FlaskFrame/myweb/__init__.py https://github.com/JonathanFrederick/flask-cards, flask-cards/app.py @@ -803,7 +763,6 @@ https://github.com/GuanYQ0926/flask-restful, flask-restful/app.py https://github.com/kuaiwu/MyFlask, MyFlask/app/__init__.py https://github.com/upbit/flask_whiteboard, flask_whiteboard/main.py https://github.com/lieuhon/First-Flask, First-Flask/app/__init__.py -https://github.com/csyouk/faust-register-py, faust-register-py/register_server.py https://github.com/allbegray/flask_mvc, flask_mvc/app.py https://github.com/Kentovski/Flask_Battlefield, Flask_Battlefield/server.py https://github.com/tjgrist/Flask-psql, Flask-psql/app.py diff --git a/hackathon_notes.py b/hackathon_notes.py new file mode 100644 index 00000000..ecf15bec --- /dev/null +++ b/hackathon_notes.py @@ -0,0 +1,483 @@ +# Make a regex for redirect(word), no quotes or anything. +# Run it on every file, see what it outputs, the ones that it is successful for we run PyT on. +# redirect(url_for('helpTopics')) + +import csv +import os +import re +import subprocess +from collections import namedtuple + + +# Part 1, make regex + +# test_strings = [ +# "redirect(url_for('helpTopics'))", # 1 +# "redirect(hey)", # 2 +# "redirect", # 3 +# "hhredirect", # 4 +# "return redirect(foo)", # 5 +# "redirect(", # 6 +# "redirect()", # 7 +# "return redirect(request.GET.get('redirect', + # '/taskManager/'))" # 8 +# ] + +# for i, string in enumerate(test_strings): +# match = re.match(".*redirect\([a-zA-Z0-9_]+\)", string) +# if match: +# print(str(i + 1)+" was a match.") +# request_as_arg = re.match(".*redirect\(request.*\)", string) +# if request_as_arg: +# print(str(i + 1)+" was a match to request_as_arg.") + +first_regex_vulns = set() +second_regex_vulns = set() + +def test_match_with_regex(string, file_name): + global first_regex_vulns + global second_regex_vulns + + if string.strip().startswith('#'): + return False + + variable_as_arg = re.match(".*redirect\([a-zA-Z0-9_]+\).*", string) + if variable_as_arg: + print(string + " was a match to variable_as_arg.") + first_regex_vulns.add( + VulnerabilityConfig( + file_name=file_name, + line_matching_regex=string.strip() + ) + ) + return True + + request_as_arg = re.match(".*redirect\(request.*\).*", string) + if request_as_arg: + + # Maybe some guy on Hackerone would argue it was a vuln, but it's much lamer. + just_the_referrer = re.match(".*redirect\(request\.referrer\).*", string) + if just_the_referrer: + return False + + just_the_url = re.match(".*redirect\(request\.url\).*", string) + if just_the_url: + return False + + print(string + " was a match to request_as_arg.") + second_regex_vulns.add( + VulnerabilityConfig( + file_name=file_name, + line_matching_regex=string.strip() + ) + ) + return True + + return False + + +# Part 2, grab repos and run the regex on them. +# https://github.com/mattmakai/choose-your-own-adventure-presentations.git, /cyoa/views.py + +def get_repo_name(url): + """Obtains the repo name repo URL. + This allows for local file saving, as compared to the URL, which indicates WHERE to clone from. + + :type url: string + """ + # e.g. 'git@github.com:pre-commit/pre-commit-hooks' -> pre-commit-hooks + name = url.split('/')[-1] + + # The url_or_path will still work without the `.git` suffix. + if name.endswith('.git'): + return name[:-4] + + return name + + +RepoConfig = namedtuple( + 'RepoConfig', + [ + 'repo_url', + 'controller_file' + ] +) + +VulnerabilityConfig = namedtuple( + 'VulnerabilityConfig', + [ + 'file_name', + 'line_matching_regex' + ] +) + +repo_config = RepoConfig( + "https://github.com/mattmakai/choose-your-own-adventure-presentations.git", + "/cyoa/views.py" +) + + +def clone_from_github(repo_config): + + import os + import signal + from subprocess import Popen, PIPE, TimeoutExpired + from time import monotonic as timer + + start = timer() + with Popen('git clone '+repo_config.repo_url, shell=True, stdout=PIPE, preexec_fn=os.setsid) as process: + try: + output = process.communicate(timeout=1)[0] + except TimeoutExpired: + os.killpg(process.pid, signal.SIGINT) # send signal to the process group + output = process.communicate()[0] + except subprocess.CalledProcessError as e: + error_msg = e.output.decode('ascii') + + # Ignore this message, because it's expected if the repo has already been cloned. + match = re.match(r"fatal: destination path '[^']+' already exists", error_msg) + if not match: + raise + print("Repo destination already existed.") + print('Elapsed seconds: {:.2f}'.format(timer() - start)) + + # # Clone from Github + # try: + # subprocess.check_output([ + # 'git', + # 'clone', + # repo_config.repo_url, + # ], + # stderr=subprocess.STDOUT, + # timeout=2) + + + +file_not_found_error_count = 0 +boom_count = 0 +possible_files = set() +unique_files = set() +possible_lines_first = set() +possible_lines_second = set() +def run_regex_on_repo_config(repo_config): + # global vars + global boom_count + global file_not_found_error_count + global possible_files + global unique_files + + folder_name = get_repo_name(repo_config.repo_url) + + # The csv has some files that start with a slash, so we need to remove it. + # path_to_file = os.path.join(folder_name, repo_config.controller_file) + path_to_file = repo_config.controller_file + if path_to_file in unique_files: + return + + unique_files.add(path_to_file) + try: + with open(path_to_file) as foo: + print("opened ", path_to_file) + old_boom_count = boom_count + for line in foo: + if test_match_with_regex(line, file_name=path_to_file): + print(path_to_file + " matches the regexes") + print("Boom.") + possible_files.add(path_to_file) + boom_count = boom_count + 1 + break + if old_boom_count == boom_count: + print(path_to_file + " does not match the regexes") + except FileNotFoundError: + file_not_found_error_count = file_not_found_error_count + 1 + print("FileNotFoundError on ", path_to_file) + + +# See if the file matches the regex +# Print Success. +# Open flask_open_source_apps.csv, + + +# # BEGIN REGEX CODE +# FLASK_APPS_CSV = 'flask_open_source_apps.csv' +# flask_csv_reader = csv.reader(open(FLASK_APPS_CSV), delimiter=",") +# row_count = 0 +# for row in flask_csv_reader: +# row_count = row_count + 1 +# path_to_file = row[1].strip() +# repo_config = RepoConfig( +# repo_url=row[0].strip(), +# controller_file=path_to_file[1:] if path_to_file.startswith('/') else path_to_file +# ) +# print("repo_config is ", repo_config) +# clone_from_github(repo_config) +# run_regex_on_repo_config(repo_config) + +# print("file_not_found_error_count is", str(file_not_found_error_count)) +# print("row_count is", str(row_count)) +# print("boom_count is", str(boom_count)) +# print("len(unique_files) is ", len(unique_files)) +# print("len(possible_files) is ", len(possible_files)) +# # End real code + +# # print("possible_lines_first is ", possible_lines_first) +# for first_regex_vuln in first_regex_vulns: +# print("first_regex_vuln is", first_regex_vuln) +# for second_regex_vuln in second_regex_vulns: +# print("second_regex_vuln is", second_regex_vuln) +# # print("possible_lines_second is ", possible_lines_second) +# # END REGEX CODE + + + + + + + + + + + +# I could generate a new CSV? +# Let me see where the current one gets us on boom_count +# So it gets us nowhere. + + + +# FileNotFoundError on flaskRestCrud/flaskRestCrud/project/__init__.py +# repo_config is RepoConfig(repo_url='https://github.com/mustafawm/Flask-LocationApp', controller_file='Flask-LocationApp/routes.py') +# Cloning into 'Flask-LocationApp'... +# remote: Counting objects: 49, done. +# remote: Total 49 (delta 0), reused 0 (delta 0), pack-reused 49 +# Unpacking objects: 100% (49/49), done. +# Checking connectivity... done. +# Elapsed seconds: 0.44 +# FileNotFoundError on Flask-LocationApp/Flask-LocationApp/routes.py +# repo_config is RepoConfig(repo_url='https://github.com/Original-heapsters/FlaskPortal', controller_file='FlaskPortal/Portal_Main/app.py') +# Cloning into 'FlaskPortal'... +# remote: Counting objects: 253, done. +# remote: Total 253 (delta 0), reused 0 (delta 0), pack-reused 253 +# Receiving objects: 100% (253/253), 186.70 KiB | 0 bytes/s, done. +# Resolving deltas: 100% (121/121), done. +# Checking connectivity... done. +# Elapsed seconds: 0.40 +# FileNotFoundError on FlaskPortal/FlaskPortal/Portal_Main/app.py +# repo_config is RepoConfig(repo_url='https://github.com/neilmaldy/flask_upload', controller_file='flask_upload/test.py') +# Cloning into 'flask_upload'... +# remote: Counting objects: 20, done. +# remote: Total 20 (delta 0), reused 0 (delta 0), pack-reused 20 +# Unpacking objects: 100% (20/20), done. +# Checking connectivity... done. +# Elapsed seconds: 0.35 +# FileNotFoundError on flask_upload/flask_upload/test.py +# file_not_found_error_count is 728 +# row_count is 728 + +# path_to_file = 'Flask_SQLite/draw_member.py' +# with open(path_to_file) as foo: +# print("opened ", path_to_file) +# old_boom_count = boom_count +# for line in foo: +# print("line is ", line) +# if test_match_with_regex(line): +# print(path_to_file + " matches the regexes") +# print("Boom.") +# boom_count = boom_count + 1 +# break +# if old_boom_count == boom_count: +# print(path_to_file + " does not match the regexes") + + + +# file_not_found_error_count is 79 +# row_count is 812 +# boom_count is 34 +# So how what was it 34/(812-79) +# # 4.6 percent matched the regexess +# # 34/733 + +# len(unique_files) is 20/(547-66) -> 20/481 +# len(possible_files) is 20 +# ~4.1 percent matched the regexes + + +# possible_files is {'simple-web-proxy/app.py', +# 'multunus-puzzle/src/app.py', +# 'FLASKHW/directory.py', +# 'flask-pastebin/pastebin.py', +# 'python-indieweb/indieweb.py', +# 'flask-oauthlib/flask_oauthlib/provider/oauth1.py', +# 'flaskoktaapp/flaskoktaapp/__init__.py', +# 'flask_shortener/app.py', +# 'flask_upload/test.py', +# 'twitter/hello.py', +# 'rdflib-web/rdflib_web/lod.py', +# 'cheapskate/cheapskate.py', +# 'honest_site/run.py', +# 'okta-pysaml2-example/app.py', +# 'pandaflask_old/pandachrome.py', +# 'oauth-flask-template/auth.py', +# 'Flaskly/flaskly.py', +# 'hb2_flask/hb2_flask.py', +# 'social_project_flask/app.py', +# 'Flask_SQLite/draw_member.py', +# 'python-bookmark-service/app.py', +# 'Flask_OAuth2/app.py', +# 'cs125-fooddy-flask/fooddy2.py', +# 'examples-flask/example_basic.py' +# } +# Line matching regex 1 is return redirect(foo) +# Line matching regex 1 is return redirect(UPLOAD_ONION_URL) +# Line matching regex 1 is return redirect(target) +# Line matching regex 1 is return redirect(uri) +# Line matching regex 1 is return redirect(authorization_url) +# Line matching regex 1 is return redirect(link) +# Line matching regex 1 is return redirect(redirect_to) +# Line matching regex 1 is return redirect(url) +# Line matching regex 1 is return redirect(url) +# Line matching regex 1 is return redirect(link_target) +# Line matching regex 1 is return redirect(uri) +# Line matching regex 1 is return redirect(next_url) +# Line matching regex 1 is return redirect(url) +# Line matching regex 1 is return redirect(next) + +# Line matching regex 2 is return redirect(request.url) +# Line matching regex 2 is return redirect(request.referrer or url_for('index')) +# Line matching regex 2 is return(redirect(request.referrer)) +# Line matching regex 2 is # redirect(request.args.get('next') or url_for('index')) #allows login page to act as in between +# Line matching regex 2 is return redirect(request.referrer) +# Line matching regex 2 is return redirect(request.form["next"]) +# Line matching regex 2 is return redirect(request.args.get("next") or url_for("index")) + + +# Finally I was left with the output: +# first_regex_vulns +# file_name='flaskoktaapp/flaskoktaapp/__init__.py', +# line_matching_regex='return redirect(url)' + +# file_name='flask-pastebin/pastebin.py', +# line_matching_regex='return redirect(next_url)' + +# file_name='flask_shortener/app.py', +# line_matching_regex='return redirect(link_target)' + +# file_name='oauth-flask-template/auth.py', +# line_matching_regex='return redirect(next)' + +# file_name='social_project_flask/app.py', +# line_matching_regex='return redirect(next_url)' + +# file_name='flask-oauthlib/flask_oauthlib/provider/oauth1.py', +# line_matching_regex='return redirect(uri)' + +# file_name='cs125-fooddy-flask/fooddy2.py', +# line_matching_regex='return redirect(auth_uri)') + +# file_name='python-indieweb/indieweb.py', +# line_matching_regex='return redirect(url)' + +# file_name='multunus-puzzle/src/app.py', +# line_matching_regex='return redirect(redirect_to)' + +# file_name='hb2_flask/hb2_flask.py', +# line_matching_regex='return redirect(target)' + +# file_name='Flask_OAuth2/app.py', +# line_matching_regex='return redirect(uri)' + +# file_name='examples-flask/example_basic.py', +# line_matching_regex='return redirect(authorization_url)' + +# file_name='Flaskly/flaskly.py', +# line_matching_regex='return redirect(link)' + +# file_name='honest_site/run.py', +# line_matching_regex='return redirect(UPLOAD_ONION_URL)' + +# file_name='cheapskate/cheapskate.py', +# line_matching_regex='return redirect(url)' + +# file_name='okta-pysaml2-example/app.py', +# line_matching_regex='return redirect(url)' + +# file_name='python-bookmark-service/app.py', +# line_matching_regex='return redirect(url)' + +# second_regex_vulns + # file_name='simple-web-proxy/app.py', + # line_matching_regex='return redirect(request.args.get("next") or url_for("index"))' + + # file_name='twitter/hello.py', + # line_matching_regex="return redirect(request.referrer or url_for('index'))" + + # file_name='pandaflask_old/pandachrome.py', + # line_matching_regex='return redirect(request.form["next"])' + +# 17 matching the first regex (5 'url', 2 'next_url', 2 'uri' and others) +# We cannot tell if they are vulnerable from looking at them. + +# 3 matching the second_regex + + +interesting_files = set([ + 'flaskoktaapp/flaskoktaapp/__init__.py', + 'flask-pastebin/pastebin.py', + 'flask_shortener/app.py', + 'oauth-flask-template/auth.py', + 'social_project_flask/app.py', + 'flask-oauthlib/flask_oauthlib/provider/oauth1.py', + 'cs125-fooddy-flask/fooddy2.py', + 'python-indieweb/indieweb.py', + 'multunus-puzzle/src/app.py', + 'hb2_flask/hb2_flask.py', + 'Flask_OAuth2/app.py', + 'examples-flask/example_basic.py', + 'Flaskly/flaskly.py', + 'honest_site/run.py', + 'cheapskate/cheapskate.py', + 'okta-pysaml2-example/app.py', + 'python-bookmark-service/app.py', + 'simple-web-proxy/app.py', + 'twitter/hello.py', + 'pandaflask_old/pandachrome.py' +]) + +print("len of interesting_files is ", len(interesting_files)) +for file in interesting_files: + print('file is ', file) + + +flaskoktaapp/flaskoktaapp/__init__.py +# Ret + +# Reports 0 vulns, (with edited flask trigger words) +# https://github.com/gene1wood/flaskoktaapp/blob/master/flaskoktaapp/__init__.py#L204 +# although we don't currently have a Post-only Flask option. + +#1 of 20, GOOD: true negative, not reported. +#2 of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, +# of 20, + + + + + + + + + + + + diff --git a/pyt/interprocedural_cfg.py b/pyt/interprocedural_cfg.py index 90e7ff0f..cf75d320 100644 --- a/pyt/interprocedural_cfg.py +++ b/pyt/interprocedural_cfg.py @@ -54,7 +54,7 @@ 'call', 'render_template', 'redirect', - 'url_for', + # 'url_for', 'flash', 'jsonify']) diff --git a/pyt/trigger_definitions/flask_trigger_words.pyt b/pyt/trigger_definitions/flask_trigger_words.pyt index c5b53976..7f1a01a4 100644 --- a/pyt/trigger_definitions/flask_trigger_words.pyt +++ b/pyt/trigger_definitions/flask_trigger_words.pyt @@ -1,23 +1,10 @@ sources: get( .data -form[ -form( Markup( cookies[ files[ SQLAlchemy sinks: -replace( -> escape -send_file( -> '..', '..' in -execute( -system( -filter( -subprocess.call( -render_template( -set_cookie( redirect( -url_for( -flash( -jsonify( \ No newline at end of file