initial commit

Author: Alex Hornbake

azure-pipelines.yml

@@ -0,0 +1,41 @@
+variables:
+- group: shiftleft-token
+
+trigger:
+- master
+- feature/*
+
+pool:
+  vmImage: 'windows-latest'
+
+steps:
+- task: PowerShell@2
+  displayName: Download ShiftLeft cli
+  inputs:
+    targetType: 'inline'
+    script: |
+      Invoke-WebRequest -Uri 'https://cdn.shiftleft.io/download/sl-latest-windows-x64.zip' -OutFile $(Agent.HomeDirectory)\sl.zip
+      Expand-Archive -Path $(Agent.HomeDirectory)\sl.zip -DestinationPath $(Agent.HomeDirectory)\
+- task: PowerShell@2
+  displayName: Enable linux containers
+  inputs:
+    targetType: 'inline'
+    script: |
+      Invoke-WebRequest -Uri https://github.com/linuxkit/lcow/releases/download/v4.14.35-v0.3.9/release.zip -OutFile release.zip
+      Expand-Archive release.zip -DestinationPath "$Env:ProgramFiles\Linux Containers\."
+      '{"experimental":true}' | Out-File "$Env:ProgramData\docker\config\daemon.json " -encoding ASCII
+      Restart-Service docker
+- task: CmdLine@2
+  displayName: Analyze with Inspect
+  inputs:
+    script: |
+      docker pull --platform linux docker.io/shiftleft/scan-slim
+      docker run --platform linux docker.io/shiftleft/scan-slim scan --help
+      $(Agent.HomeDirectory)\sl analyze --verbose --no-diagnostic --force --version-id 1 --app ShiftLeftPythonAzWin branch=$(Build.SourceBranchName) --python $(Build.SourcesDirectory)
+    workingDirectory: '$(Build.SourcesDirectory)'
+  env:
+    SHIFTLEFT_ORG_ID: $(SHIFTLEFT_ORG_ID)
+    SHIFTLEFT_ACCESS_TOKEN: $(SHIFTLEFT_ACCESS_TOKEN)
+    SHIFTLEFT_API_TOKEN: $(SHIFTLEFT_API_TOKEN)
+    LCOW_SUPPORTED: 1
+    LCOW_API_PLATFORM_IF_OMITTED: linux

cfg_example.py

@@ -0,0 +1,9 @@
+from ..pyt.cfg import CFG, print_CFG, generate_ast
+
+
+ast = generate_ast('example_inputs/example.py')
+
+cfg = CFG()
+cfg.create(ast)
+
+print_CFG(cfg)

django.nV/taskManager/__init__.py

@@ -0,0 +1,13 @@
+#     _  _                        __   __
+#  __| |(_)__ _ _ _  __ _ ___   _ \ \ / /
+# / _` || / _` | ' \/ _` / _ \_| ' \ V /
+# \__,_|/ \__,_|_||_\__, \___(_)_||_\_/
+#     |__/          |___/
+#
+#			INSECURE APPLICATION WARNING
+#
+# django.nV is a PURPOSELY INSECURE web-application
+# meant to demonstrate Django security problems
+# UNDER NO CIRCUMSTANCES should you take any code
+# from django.nV for use in another web application!
+#

django.nV/taskManager/forms.py

@@ -0,0 +1,89 @@
+#     _  _                        __   __
+#  __| |(_)__ _ _ _  __ _ ___   _ \ \ / /
+# / _` || / _` | ' \/ _` / _ \_| ' \ V /
+# \__,_|/ \__,_|_||_\__, \___(_)_||_\_/
+#     |__/          |___/
+#
+#           INSECURE APPLICATION WARNING
+#
+# django.nV is a PURPOSELY INSECURE web-application
+# meant to demonstrate Django security problems
+# UNDER NO CIRCUMSTANCES should you take any code
+# from django.nV for use in another web application!
+#
+
+""" forms.py contains various Django forms for the application """
+
+from taskManager.models import Project, Task
+from django import forms
+from django.contrib.auth.models import User
+
+
+def get_my_choices_users():
+    """ Retrieves a list of all users in the system
+        for the user management page
+    """
+
+    user_list = User.objects.order_by('date_joined')
+    user_tuple = []
+    counter = 1
+    for user in user_list:
+        user_tuple.append((counter, user))
+        counter = counter + 1
+    return user_tuple
+
+
+def get_my_choices_tasks(current_proj):
+    """ Retrieves all tasks in the system
+        for the task management page
+    """
+
+    task_list = []
+    tasks = Task.objects.all()
+    for task in tasks:
+        if task.project == current_proj:
+            task_list.append(task)
+
+    task_tuple = []
+    counter = 1
+    for task in task_list:
+        task_tuple.append((counter, task))
+        counter = counter + 1
+    return task_tuple
+
+
+def get_my_choices_projects():
+    """ Retrieves all projects in the system
+        for the project management page
+    """
+
+    proj_list = Project.objects.all()
+    proj_tuple = []
+    counter = 1
+    for proj in proj_list:
+        proj_tuple.append((counter, proj))
+        counter = counter + 1
+    return proj_tuple
+
+# A2: Broken Authentication and Session Management
+
+
+class UserForm(forms.ModelForm):
+    """ User registration form """
+    class Meta:
+        model = User
+        exclude = ['groups', 'user_permissions', 'last_login', 'date_joined', 'is_active']
+
+
+class ProjectFileForm(forms.Form):
+    """ Used for uploading files attached to projects """
+    name = forms.CharField(max_length=300)
+    file = forms.FileField()
+
+
+class ProfileForm(forms.Form):
+    """ Provides a form for editing your own profile """
+    first_name = forms.CharField(max_length=30, required=False)
+    last_name = forms.CharField(max_length=30, required=False)
+    email = forms.CharField(max_length=300, required=False)
+    picture = forms.FileField(required=False)

django.nV/taskManager/loop_false_negative.py

@@ -0,0 +1,23 @@
+import os
+
+from tempfile import NamedTemporaryFile
+
+from django.shortcuts import redirect
+from django.http import HttpResponse
+
+def download(request):
+    response = HttpResponse("Hi.")
+    fork_list = request.POST.getlist('fork_list')
+    if request.POST and len(fork_list) > 0:
+        tmp_file = NamedTemporaryFile()
+        cmd = "tar -czvf %s -C %s " % (tmp_file.name,DOWNLOADS)
+        for item in fork_list:
+            cmd += item + " "
+        os.system(cmd)
+
+        response = HttpResponse(content_type='application/x-gzip')
+        response['Content-Disposition'] = 'attachment; filename="%s.tar.gz"' % tmp_file.name
+        response.write(tmp_file.file.read())
+    else:
+        response = redirect("/list/")
+    return response

django.nV/taskManager/misc.py

@@ -0,0 +1,41 @@
+#     _  _                        __   __
+#  __| |(_)__ _ _ _  __ _ ___   _ \ \ / /
+# / _` || / _` | ' \/ _` / _ \_| ' \ V /
+# \__,_|/ \__,_|_||_\__, \___(_)_||_\_/
+#     |__/          |___/
+#
+#			INSECURE APPLICATION WARNING
+#
+# django.nV is a PURPOSELY INSECURE web-application
+# meant to demonstrate Django security problems
+# UNDER NO CIRCUMSTANCES should you take any code
+# from django.nV for use in another web application!
+#
+""" misc.py contains miscellaneous functions
+
+    Functions that are used in multiple places in the
+    rest of the application, but are not tied to a
+    specific area are stored in misc.py
+"""
+
+import os
+
+
+def store_uploaded_file(title, uploaded_file):
+    """ Stores a temporary uploaded file on disk """
+    upload_dir_path = '%s/static/taskManager/uploads' % (
+        os.path.dirname(os.path.realpath(__file__)))
+    if not os.path.exists(upload_dir_path):
+        os.makedirs(upload_dir_path)
+
+    # A1: Injection (shell)
+    # Let's avoid the file corruption race condition!
+    os.system(
+        "mv " +
+        uploaded_file.temporary_file_path() +
+        " " +
+        "%s/%s" %
+        (upload_dir_path,
+         title))
+
+    return '/static/taskManager/uploads/%s' % (title)

django.nV/taskManager/models.py

@@ -0,0 +1,105 @@
+#     _  _                        __   __
+#  __| |(_)__ _ _ _  __ _ ___   _ \ \ / /
+# / _` || / _` | ' \/ _` / _ \_| ' \ V /
+# \__,_|/ \__,_|_||_\__, \___(_)_||_\_/
+#     |__/          |___/
+#
+#			INSECURE APPLICATION WARNING
+#
+# django.nV is a PURPOSELY INSECURE web-application
+# meant to demonstrate Django security problems
+# UNDER NO CIRCUMSTANCES should you take any code
+# from django.nV for use in another web application!
+#
+
+import datetime
+
+from django.contrib.auth.models import User
+
+from django.utils import timezone
+from django.db import models
+
+
+class UserProfile(models.Model):
+    user = models.OneToOneField(User)
+    image = models.CharField(max_length=3000, default="")
+    reset_token = models.CharField(max_length=7, default="")
+    reset_token_expiration = models.DateTimeField(default=timezone.now)
+
+class Project(models.Model):
+    title = models.CharField(max_length=50, default='Default')
+    text = models.CharField(max_length=500)
+    start_date = models.DateTimeField('date started')
+    due_date = models.DateTimeField(
+        'date due',
+        default=(
+            timezone.now() +
+            datetime.timedelta(
+                weeks=1)))
+    users_assigned = models.ManyToManyField(User)
+    priority = models.IntegerField(default=1)
+
+    def __str__(self):
+        return self.title
+
+    def was_created_recently(self):
+        return self.start_date >= timezone.now() - datetime.timedelta(days=1)
+
+    def is_overdue(self):
+        return self.due_date <= timezone.now()
+
+    def percent_complete(self):
+        counter = 0
+        for task in self.task_set.all():
+            counter = counter + (1 if task.completed else 0)
+        try:
+            return round(float(counter) / self.task_set.count() * 100)
+        except ZeroDivisionError:
+            return 0
+
+
+class Task(models.Model):
+    project = models.ForeignKey(Project, default=1)
+    text = models.CharField(max_length=200)
+    title = models.CharField(max_length=200, default="N/A")
+    start_date = models.DateTimeField('date created')
+    due_date = models.DateTimeField(
+        'date due',
+        default=(
+            timezone.now() +
+            datetime.timedelta(
+                weeks=1)))
+    completed = models.NullBooleanField(default=False)
+    users_assigned = models.ManyToManyField(User)
+
+    def __str__(self):
+        return self.text
+
+    def was_created_recently(self):
+        return self.start_date >= timezone.now() - datetime.timedelta(days=1)
+
+    def is_overdue(self):
+        return self.due_date <= timezone.now()
+
+    def percent_complete(self):
+        return 100 if self.completed else 0
+
+
+class Notes(models.Model):
+    task = models.ForeignKey(Task, default=1)
+    title = models.CharField(max_length=200, default="N/A")
+    text = models.CharField(max_length=200)
+    image = models.CharField(max_length=200)
+    user = models.CharField(max_length=200, default='ancestor')
+
+    def __str__(self):
+        return self.text
+
+
+class File(models.Model):
+    project = models.ForeignKey(Project)
+    name = models.CharField(max_length=300, default="")
+    path = models.CharField(max_length=3000, default="")
+
+    def __str__(self):
+        return self.name

django.nV/taskManager/redirect_maybe_should_trigger_vuln.py

@@ -0,0 +1,25 @@
+from django.shortcuts import render, render_to_response, redirect
+
+
+def task_edit(request, project_id, task_id):
+
+    proj = Project.objects.get(pk=project_id)
+    task = Task.objects.get(pk=task_id)
+
+    if request.method == 'POST':
+
+        if task.project == proj:
+
+            text = request.POST.get('text', False)
+            task_title = request.POST.get('task_title', False)
+            task_completed = request.POST.get('task_completed', False)
+
+            task.title = task_title
+            task.text = text
+            task.completed = True if task_completed == "1" else False
+            task.save()
+
+        return redirect('/taskManager/' + project_id + '/' + task_id)
+    else:
+        return render_to_response(
+            'taskManager/task_edit.html', {'task': task}, RequestContext(request))