-
Notifications
You must be signed in to change notification settings - Fork 0
Create appp.py #9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,21 @@ | |||||||||||||||||||||||||||||
| import sqlite3 | |||||||||||||||||||||||||||||
| from flask import Flask, request | |||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| app = Flask(__name__) | |||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| @app.route('/search') | |||||||||||||||||||||||||||||
| def search(): | |||||||||||||||||||||||||||||
| # Get the user input from the query parameter | |||||||||||||||||||||||||||||
| query = request.args.get('query', '') | |||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| # Vulnerable: User input is directly concatenated into the SQL query | |||||||||||||||||||||||||||||
| connection = sqlite3.connect('example.db') | |||||||||||||||||||||||||||||
| cursor = connection.cursor() | |||||||||||||||||||||||||||||
| cursor.execute(f"SELECT * FROM users WHERE name = '{query}'") # SQL injection vulnerability | |||||||||||||||||||||||||||||
| results = cursor.fetchall() | |||||||||||||||||||||||||||||
| connection.close() | |||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| return str(results) | |||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||
| if __name__ == '__main__': | |||||||||||||||||||||||||||||
| app.run(debug=True) | |||||||||||||||||||||||||||||
Check failureCode scanning / CodeQL Flask app is run in debug mode High
A Flask app appears to be run in debug mode. This may allow an attacker to run arbitrary code through the debugger.
Copilot AutofixAI about 1 year ago To fix the problem, we need to ensure that the Flask application does not run in debug mode in a production environment. The best way to achieve this is by using an environment variable to control the debug mode. This way, we can easily switch between development and production environments without changing the code.
Suggested changeset
1
appp.py
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
|
|||||||||||||||||||||||||||||
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
Copilot Autofix
AI about 1 year ago
To fix the SQL injection vulnerability, we should use parameterized queries instead of directly concatenating user input into the SQL query string. Parameterized queries ensure that user input is properly escaped and quoted by the database driver, preventing SQL injection attacks.
In this specific case, we will modify the
cursor.executecall to use a parameterized query. This involves replacing the f-string with a query string that contains placeholders (?), and passing the user input as a separate argument to theexecutemethod.