Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Code Security Report: 6 high severity findings, 10 total findings #13

Open
1 task
mend-for-github.aaakk.us.kg bot opened this issue Dec 23, 2022 · 0 comments
Open
1 task
Labels
code security findings Code security findings detected by Mend

Comments

@mend-for-github.aaakk.us.kg
Copy link
Contributor

Code Security Report

Latest Scan: 2022-12-23 01:59pm
Total Findings: 10
Tested Project Files: 99
Detected Programming Languages: 1

  • Check this box to manually trigger a scan

Language: Python

Severity CWE Vulnerability Type Count
High CWE-78 Command Injection 4
High CWE-79 Cross-Site Scripting 2
Low CWE-916 Weak Hash Strength 4

Details

The below list presents the 6 high vulnerability findings that need your attention. To view information on these findings, navigate to the Mend SAST Application.

Command Injection (CWE-78) : 4

Findings

trigger/cmdi.py:6

import os
import subprocess
def do_os_system(command):
return os.system(command)

Trace

files = await request.files

stream = files.get("file")

user_input = stream.read()

def do_os_system(command):

return os.system(command)

apps/falcon_app.py:29

user_input = req._params["upload"].file.read()
digest = hexlify(md5(user_input).digest()).decode("utf8")
cmd = "echo " + str(user_input[:10])
os.system(cmd)

Trace

user_input = req._params["upload"].file.read()

cmd = "echo " + str(user_input[:10])

os.system(cmd)

trigger/cmdi.py:6

import os
import subprocess
def do_os_system(command):
return os.system(command)

Trace

content = await file.read()

def do_os_system(command):

return os.system(command)

trigger/cmdi.py:6

import os
import subprocess
def do_os_system(command):
return os.system(command)

Trace

user_input = stream.read()

def do_os_system(command):

return os.system(command)

Cross-Site Scripting (CWE-79) : 2

Findings

django/vulnerable_asgi.py:55

template = get_template("{}.html".format(name))
if name == "xss" and trigger == "raw":
template += "<p>XSS: " + user_input + "</p>"
return HttpResponse(template)

Trace

header_user_input = request.META.get("HTTP_QUERY_STRING")

user_input = await _get_user_input(request)

template += "<p>XSS: " + user_input + "</p>"

return HttpResponse(template)

django/vulnerable.py:38

template = get_template("{}.html".format(name))
if name == "xss" and trigger == "raw":
template += "<p>XSS: " + user_input + "</p>"
return HttpResponse(template)

Trace

return request.GET.get("user_input", "")

user_input = _get_user_input(request)

template += "<p>XSS: " + user_input + "</p>"

return HttpResponse(template)

@mend-for-github.aaakk.us.kg mend-for-github.aaakk.us.kg bot added the code security findings Code security findings detected by Mend label Dec 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
code security findings Code security findings detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants