tldr-cli 0.4.0

CLI binary for TLDR code analysis tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

# Fixture for VAL-007 (M7): Python SSRF sink fed by a tainted source.
#
# The tldr-core taint scanner needs:
#   - a source pattern from `get_sources(Language::Python)` — we use
#     `request.args` (Flask GET parameter) to taint variable `target`
#   - the tainted variable name appearing on the SAME line as the sink
#     pattern (the scanner does `line.contains(sink_pattern) && line.contains(var)`)
#   - a sink pattern from `get_sinks(VulnType::Ssrf, Language::Python)` —
#     post-fix this includes `requests.get(`, `requests.post(`,
#     `urllib.request.urlopen(`, `httpx.get(`
#
# On unfixed HEAD, `get_sinks(VulnType::Ssrf, Language::Python)` returns
# `vec![]`, so the line-scanning second pass in `scan_file_vulns` never
# matches — `findings` stays empty for this fixture.

from flask import request
import requests
import urllib.request
import httpx


def fetch_user_target():
    target = request.args.get("url")
    # sink: requests.get( with tainted `target`
    return requests.get(target)


def post_user_target():
    target = request.args.get("url")
    # sink: requests.post( with tainted `target`
    return requests.post(target, data={"a": 1})


def open_user_target():
    target = request.args.get("url")
    # sink: urllib.request.urlopen( with tainted `target`
    return urllib.request.urlopen(target)


def httpx_user_target():
    target = request.args.get("url")
    # sink: httpx.get( with tainted `target`
    return httpx.get(target)