added potential vulnerability cases for python-sh in deliberately_vulnerable_flask_app

Author: esiebomaj

documentation/deliberately_vulnerable_flask_app/app.py

@@ -10,6 +10,7 @@
 import requests
 from flask import Flask, render_template
 from lxml import etree
+import sh.sh as sh
 
 app = Flask(__name__)
 
@@ -57,3 +58,28 @@ def definite_ssrf(payload: str) -> None:
 @app.route("/xxe/<string:payload>")
 def definite_xxe(payload: str) -> None:
     etree.fromstring(payload)
+
+
+@app.route("/rce/<string:payload>") # picked
+def potential_rce_3(payload: str) -> None:
+    sh.Command(path=payload, search_paths=[payload])
+
+
+@app.route("/rce/<string:payload>") # picked
+def potential_rce_4(payload: str) -> None:
+    sh.RunningCommand(payload, call_args=[payload])
+
+
+@app.route("/rce/<string:payload>") # picked
+def potential_rce_5(payload: str) -> None:
+    sh.OProc(command=payload, cmd=[payload])
+
+
+@app.route("/rce/<string:payload>") # picked
+def potential_rce_6(payload: str) -> None:
+    sh.which(payload, paths=[payload])
+
+
+@app.route("/rce/<string:payload>")
+def potential_rce_7(payload: str) -> None:
+    sh.ls(payload, payload)

documentation/deliberately_vulnerable_flask_app/full_result.json

@@ -102,5 +102,93 @@
     "path": "app.py",
     "stop_column": 36,
     "stop_line": 28
+  },
+  {
+    "line": 65,
+    "column": 20,
+    "stop_line": 65,
+    "stop_column": 27,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_3"
+  },
+  {
+    "line": 65,
+    "column": 42,
+    "stop_line": 65,
+    "stop_column": 51,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_3"
+  },
+  {
+    "line": 70,
+    "column": 41,
+    "stop_line": 70,
+    "stop_column": 50,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_4"
+  },
+  {
+    "line": 70,
+    "column": 22,
+    "stop_line": 70,
+    "stop_column": 29,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_4"
+  },
+  {
+    "line": 75,
+    "column": 21,
+    "stop_line": 75,
+    "stop_column": 28,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_5"
+  },
+  {
+    "line": 75,
+    "column": 34,
+    "stop_line": 75,
+    "stop_column": 43,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_5"
+  },
+  {
+    "line": 80,
+    "column": 13,
+    "stop_line": 80,
+    "stop_column": 20,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_6"
+  },
+  {
+    "line": 80,
+    "column": 28,
+    "stop_line": 80,
+    "stop_column": 37,
+    "path": "app.py",
+    "code": 6065,
+    "name": "Commandline arguments injection may result in RCE",
+    "description": "Commandline arguments injection may result in RCE [6065]: Data from [UserControlled] source(s) may reach [ExecArgSink] sink(s)",
+    "define": "app.potential_rce_6"
   }
 ]

stubs/third_party_taint/pythonsh_sinks.pysa

@@ -1,5 +1,5 @@
-def sh.which(program: TaintSink[RemoteCodeExecution], paths: TaintSink[RemoteCodeExecution]):...
-def sh.command.__init__(self, path: TaintSink[RemoteCodeExecution], search_paths: TaintSink[RemoteCodeExecution]):...
-def sh.RunningCommand.__init__(self, cmd:TaintSink[RemoteCodeExecution], call_args:TaintSink[RemoteCodeExecution], stdin, stdout, stderr)
-def sh.oproc.__init__(self, command:TaintSink[RemoteCodeExecution], parent_log, cmd:TaintSink[RemoteCodeExecution], stdin, stdout, stderr, call_args:TaintSink[RemoteCodeExecution], pipe, process_assign_lock)
-def sh.SelfWrapper.__init__(self, self_module: TaintSink[RemoteCodeExecution], baked_arg: TaintSink[RemoteCodeExecution])
+def sh.sh.command.__init__(self, path:TaintSink[ExecArgSink], search_paths:TaintSink[ExecArgSink]):...
+def sh.sh.RunningCommand.__init__(self, cmd:TaintSink[ExecArgSink], call_args:TaintSink[ExecArgSink], stdin, stdout, stderr):...
+def sh.sh.OProc.__init__(self, command:TaintSink[ExecArgSink], parent_log, cmd:TaintSink[ExecArgSink], stdin, stdout, stderr, call_args:TaintSink[ExecArgSink], pipe, process_assign_lock):...
+def sh.sh.which(program:TaintSink[ExecArgSink], paths:TaintSink[ExecArgSink]):...
+def sh.sh.SelfWrapper.__init__(self, self_module:TaintSink[ExecArgSink], baked_arg:TaintSink[ExecArgSink]):...