You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
❯❱ python.django.security.injection.request-data-write.request-data-write
Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious
actor is able to control data into sensitive files. For example, a malicious actor could force
rolling of critical log files, or cause a denial-of-service by using up available disk space.
Instead, ensure that request data is properly escaped or sanitized.
Details: https://sg.run/0Q6j
59┆ log_code = request.POST.get('log_code')
60┆ api_code = request.POST.get('api_code')
61┆ dirname = os.path.dirname(__file__)
62┆ log_filename = os.path.join(dirname, "playground/A9/main.py")
63┆ api_filename = os.path.join(dirname, "playground/A9/api.py")
64┆ f = open(log_filename,"w")
65┆ f.write(log_code)
⋮┆----------------------------------------
60┆ api_code = request.POST.get('api_code')
61┆ dirname = os.path.dirname(__file__)
62┆ log_filename = os.path.join(dirname, "playground/A9/main.py")
63┆ api_filename = os.path.join(dirname, "playground/A9/api.py")
64┆ f = open(log_filename,"w")
65┆ f.write(log_code)
66┆ f.close()
67┆ f = open(api_filename,"w")
68┆ f.write(api_code)
We don't have an existing transformer that aligns with this. Could we just wrap arguments to open and write with escape or some other sanitization func?
The text was updated successfully, but these errors were encountered:
Running semgrep on pygoat
We don't have an existing transformer that aligns with this. Could we just wrap arguments to open and write with escape or some other sanitization func?
The text was updated successfully, but these errors were encountered: